feat: finally forward ipv6 traffic

(i know ULA snat is not _the way_, but here we are anyway)
2025-04-27 12:40:46 +02:00 · 2025-04-27 12:40:46 +02:00 · 9422389c9c
commit 9422389c9c
parent 3f3573a1e2
1 changed files with 157 additions and 111 deletions
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -6,6 +6,7 @@
 }:
 {
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
  networking.hostId = config.repo.secrets.local.networking.hostId;

  globals.monitoring.ping.ward = {
@ -164,7 +165,8 @@
      }
    );

-  networking.nftables.firewall = {
+  networking.nftables = {
+    firewall = {
      zones =
        {
          untrusted.interfaces = [ "wan" ];
@ -198,7 +200,16 @@
            "vlan-guests"
          ];
          to = [ "untrusted" ];
-        masquerade = true;
+          # masquerade = true; NOTE: custom rule below for ip4 + ip6
+          late = true; # Only accept after any rejects have been processed
+          verdict = "accept";
+        };
+
+        # masquerade firezone traffic
+        masquerade-firezone = {
+          from = [ "firezone" ];
+          to = [ "vlan-services" ];
+          # masquerade = true; NOTE: custom rule below for ip4 + ip6
          late = true; # Only accept after any rejects have been processed
          verdict = "accept";
        };
@ -262,15 +273,6 @@
          verdict = "accept";
        };

-      # masquerade firezone traffic
-      masquerade-firezone = {
-        from = [ "firezone" ];
-        to = [ "vlan-services" ];
-        masquerade = true;
-        late = true; # Only accept after any rejects have been processed
-        verdict = "accept";
-      };
-
        # forward firezone traffic
        forward-incoming-firezone-traffic = {
          from = [ "firezone" ];
@ -286,6 +288,50 @@
      };
    };

+    chains.postrouting = {
+      masquerade-firezone = {
+        after = [ "hook" ];
+        late = true;
+        rules =
+          lib.forEach
+            [
+              "firezone"
+            ]
+            (
+              zone:
+              lib.concatStringsSep " " [
+                "meta protocol { ip, ip6 }"
+                (lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                (lib.head config.networking.nftables.firewall.zones.vlan-services.egressExpression)
+                "masquerade random"
+              ]
+            );
+      };
+
+      masquerade-internet = {
+        after = [ "hook" ];
+        late = true;
+        rules =
+          lib.forEach
+            [
+              "vlan-services"
+              "vlan-home"
+              "vlan-devices"
+              "vlan-guests"
+            ]
+            (
+              zone:
+              lib.concatStringsSep " " [
+                "meta protocol { ip, ip6 }"
+                (lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                (lib.head config.networking.nftables.firewall.zones.untrusted.egressExpression)
+                "masquerade random"
+              ]
+            );
+      };
+    };
+  };
+
  #wireguard.home.server = {
  #  host = todo # config.networking.fqdn;
  #  port = 51192;