feat: add firezone gateway and allow trafic

2025-10-11 07:10:39 +02:00 · 2025-03-16 22:38:03 +01:00 · 2025-03-16 22:38:03 +01:00 · c4891afe7d
commit c4891afe7d
parent 3725789765
10 changed files with 54 additions and 2 deletions
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -169,6 +169,7 @@
      {
        untrusted.interfaces = [ "wan" ];
        proxy-home.interfaces = [ "proxy-home" ];
+        firezone.interfaces = [ "tun-firezone" ];
        adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
        adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
        web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
@ -260,6 +261,28 @@
        to = [ "proxy-home" ];
        verdict = "accept";
      };
+
+      # masquerade firezone traffic
+      masquerade-firezone = {
+        from = [ "firezone" ];
+        to = [ "vlan-services" ];
+        masquerade = true;
+        late = true; # Only accept after any rejects have been processed
+        verdict = "accept";
+      };
+
+      # forward firezone traffic
+      forward-incoming-firezone-traffic = {
+        from = [ "firezone" ];
+        to = [ "vlan-services" ];
+        verdict = "accept";
+      };
+
+      forward-outgoing-firezone-traffic = {
+        from = [ "vlan-services" ];
+        to = [ "firezone" ];
+        verdict = "accept";
+      };
    };
  };