sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: finally forward ipv6 traffic

Browse source 
(i know ULA snat is not _the way_, but here we are anyway)
This commit is contained in:
oddlama 2025-04-27 12:40:46 +02:00
parent 3f3573a1e2
commit 9422389c9c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 157 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

268
hosts/ward/net.nix
View file

@ -6,6 +6,7 @@
}: }:
{ {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
globals.monitoring.ping.ward = { globals.monitoring.ping.ward = {
@ -164,124 +165,169 @@
} }
); );
networking.nftables.firewall = { networking.nftables = {
zones = firewall = {
{ zones =
untrusted.interfaces = [ "wan" ]; {
proxy-home.interfaces = [ "proxy-home" ]; untrusted.interfaces = [ "wan" ];
firezone.interfaces = [ "tun-firezone" ]; proxy-home.interfaces = [ "proxy-home" ];
adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ]; firezone.interfaces = [ "tun-firezone" ];
adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ]; adguardhome.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4 ];
web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ]; adguardhome.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv6 ];
web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ]; web-proxy.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4 ];
samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ]; web-proxy.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6 ];
samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ]; samba.ipv4Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv4 ];
scanner-ads-4300n.ipv4Addresses = [ samba.ipv6Addresses = [ globals.net.home-lan.vlans.services.hosts.sire-samba.ipv6 ];
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4 scanner-ads-4300n.ipv4Addresses = [
]; globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv4
scanner-ads-4300n.ipv6Addresses = [ ];
globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6 scanner-ads-4300n.ipv6Addresses = [
]; globals.net.home-lan.vlans.devices.hosts.scanner-ads-4300n.ipv6
} ];
// lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
} }
); // lib.flip lib.concatMapAttrs globals.net.home-lan.vlans (
vlanName: _: {
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
}
);
rules = { rules = {
masquerade-internet = { masquerade-internet = {
from = [ from = [
"vlan-services" "vlan-services"
"vlan-home" "vlan-home"
"vlan-devices" "vlan-devices"
"vlan-guests" "vlan-guests"
]; ];
to = [ "untrusted" ]; to = [ "untrusted" ];
masquerade = true; # masquerade = true; NOTE: custom rule below for ip4 + ip6
late = true; # Only accept after any rejects have been processed late = true; # Only accept after any rejects have been processed
verdict = "accept"; verdict = "accept";
};
# masquerade firezone traffic
masquerade-firezone = {
from = [ "firezone" ];
to = [ "vlan-services" ];
# masquerade = true; NOTE: custom rule below for ip4 + ip6
late = true; # Only accept after any rejects have been processed
verdict = "accept";
};
# Allow access to the AdGuardHome DNS server from any VLAN that has internet access
access-adguardhome-dns = {
from = [
"vlan-services"
"vlan-home"
"vlan-devices"
"vlan-guests"
];
to = [ "adguardhome" ];
verdict = "accept";
};
# Allow access to the web proxy from the devices VLAN
access-web-proxy = {
from = [
"vlan-devices"
];
to = [ "web-proxy" ];
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [ 443 ];
verdict = "accept";
};
# Allow the scanner to access samba via SFTP
access-samba-sftp = {
from = [ "scanner-ads-4300n" ];
to = [ "samba" ];
allowedTCPPorts = [ 22 ];
};
# Allow devices in the home VLAN to talk to any of the services or home devices.
access-services = {
from = [ "vlan-home" ];
to = [
"vlan-services"
"vlan-devices"
"vlan-iot"
];
late = true;
verdict = "accept";
};
# Allow the services VLAN to talk to our wireguard server
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
};
# Forward traffic between wireguard participants
forward-proxy-home-vpn-traffic = {
from = [ "proxy-home" ];
to = [ "proxy-home" ];
verdict = "accept";
};
# forward firezone traffic
forward-incoming-firezone-traffic = {
from = [ "firezone" ];
to = [ "vlan-services" ];
verdict = "accept";
};
forward-outgoing-firezone-traffic = {
from = [ "vlan-services" ];
to = [ "firezone" ];
verdict = "accept";
};
}; };
};
# Allow access to the AdGuardHome DNS server from any VLAN that has internet access chains.postrouting = {
access-adguardhome-dns = {
from = [
"vlan-services"
"vlan-home"
"vlan-devices"
"vlan-guests"
];
to = [ "adguardhome" ];
verdict = "accept";
};
# Allow access to the web proxy from the devices VLAN
access-web-proxy = {
from = [
"vlan-devices"
];
to = [ "web-proxy" ];
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [ 443 ];
verdict = "accept";
};
# Allow the scanner to access samba via SFTP
access-samba-sftp = {
from = [ "scanner-ads-4300n" ];
to = [ "samba" ];
allowedTCPPorts = [ 22 ];
};
# Allow devices in the home VLAN to talk to any of the services or home devices.
access-services = {
from = [ "vlan-home" ];
to = [
"vlan-services"
"vlan-devices"
"vlan-iot"
];
late = true;
verdict = "accept";
};
# Allow the services VLAN to talk to our wireguard server
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
};
# Forward traffic between wireguard participants
forward-proxy-home-vpn-traffic = {
from = [ "proxy-home" ];
to = [ "proxy-home" ];
verdict = "accept";
};
# masquerade firezone traffic
masquerade-firezone = { masquerade-firezone = {
from = [ "firezone" ]; after = [ "hook" ];
to = [ "vlan-services" ]; late = true;
masquerade = true; rules =
late = true; # Only accept after any rejects have been processed lib.forEach
verdict = "accept"; [
"firezone"
]
(
zone:
lib.concatStringsSep " " [
"meta protocol { ip, ip6 }"
(lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
(lib.head config.networking.nftables.firewall.zones.vlan-services.egressExpression)
"masquerade random"
]
);
}; };
# forward firezone traffic masquerade-internet = {
forward-incoming-firezone-traffic = { after = [ "hook" ];
from = [ "firezone" ]; late = true;
to = [ "vlan-services" ]; rules =
verdict = "accept"; lib.forEach
}; [
"vlan-services"
forward-outgoing-firezone-traffic = { "vlan-home"
from = [ "vlan-services" ]; "vlan-devices"
to = [ "firezone" ]; "vlan-guests"
verdict = "accept"; ]
(
zone:
lib.concatStringsSep " " [
"meta protocol { ip, ip6 }"
(lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
(lib.head config.networking.nftables.firewall.zones.untrusted.egressExpression)
"masquerade random"
]
);
}; };
}; };
}; };