mirrors/mdlayher-homelab
1
0
Fork 0
mirror of https://github.com/mdlayher/homelab.git synced 2024-12-14 11:47:32 +00:00
Code Activity

nixos/routnerr-3: WAN simplifications

Browse source
This commit is contained in:
Matt Layher 2023-09-15 15:12:31 -04:00
parent 0f783464e7
commit cad8c7ff6b
5 changed files with 24 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
nixos/lib/vargen/main.go
View file

@ -46,11 +46,8 @@ func (p preference) MarshalText() ([]byte, error) {
}
func main() {
// Fetch IPv4 address and IPv6 prefix for use elsewhere.
var (
wan4 = wanIPv4()
gua6 = wanIPv6Prefix()
)
// Fetch IPv6 prefix for use elsewhere.
gua6 := wanIPv6Prefix()
const trusted = true
@ -62,13 +59,6 @@ func main() {
lan0 = newSubnet("lan0", 10, gua6, trusted)
wg0 = newSubnet("wg0", 20, gua6, trusted)
// When multiple subnets are available, prefer the 10GbE subnet.
tengb0 = func() subnet {
s := newSubnet("tengb0", 110, gua6, trusted)
s.Preference = high
return s
}()
// Untrusted subnets which do not necessarily, have internal DNS records
// and other services deployed on them. The lab subnet is a bit of a
// special case but it's probably best to treat it as hostile.
@ -192,27 +182,8 @@ func main() {
out.addInterface("guest0", guest0)
out.addInterface("iot0", iot0)
out.addInterface("lab0", lab0)
// TODO(mdlayher): re-enable tengb0 when switch is set up.
_ = tengb0
// out.addInterface("tengb0", tengb0)
out.addInterface("wg0", wg0)
// TODO: WANs are special cases and should probably live in their own
// section with different rules.
out.Interfaces["wan0"] = iface{
Name: "wan0",
Preference: medium,
IPv4: wan4,
}
out.Interfaces["wan1"] = iface{
Name: "wan1",
Preference: medium,
}
out.Interfaces["wan2"] = iface{
Name: "wan2",
Preference: medium,
}
// Marshal human-readable JSON for nicer git diffs.
e := json.NewEncoder(os.Stdout)
e.SetIndent("", "\t")
@ -221,21 +192,6 @@ func main() {
}
}
func wanIPv4() netip.Addr {
res, err := http.Get("https://ipv4.icanhazip.com")
if err != nil {
log.Fatalf("failed to perform HTTP request: %v", err)
}
defer res.Body.Close()
b, err := ioutil.ReadAll(res.Body)
if err != nil {
log.Fatalf("failed to read HTTP body: %v", err)
}
return netip.MustParseAddr(strings.TrimSpace(string(b)))
}
func wanIPv6Prefix() netip.Prefix {
res, err := http.Get("https://ipv6.icanhazip.com")
if err != nil {

36
nixos/lib/vars.json
View file

@ -393,42 +393,6 @@
}
]
},
"wan0": {
"name": "wan0",
"preference": "medium",
"internal_dns": false,
"ipv4": "24.176.13.44",
"ipv6": {
"gua": "",
"ula": "",
"lla": ""
},
"hosts": null
},
"wan1": {
"name": "wan1",
"preference": "medium",
"internal_dns": false,
"ipv4": "",
"ipv6": {
"gua": "",
"ula": "",
"lla": ""
},
"hosts": null
},
"wan2": {
"name": "wan2",
"preference": "medium",
"internal_dns": false,
"ipv4": "",
"ipv6": {
"gua": "",
"ula": "",
"lla": ""
},
"hosts": null
},
"wg0": {
"name": "wg0",
"preference": "medium",

12
nixos/routnerr-3/configuration.nix
View file

@ -48,19 +48,21 @@ in {
boot = {
kernel = {
sysctl = with vars.interfaces.wan0; {
sysctl = {
# Forward on all interfaces.
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
# By default, not automatically configure any IPv6 addresses.
# By default, do not automatically configure any IPv6 addresses.
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.all.autoconf" = 0;
"net.ipv6.conf.all.use_tempaddr" = 0;
# On WAN, allow IPv6 autoconfiguration and tempory address use.
"net.ipv6.conf.${name}.accept_ra" = 2;
"net.ipv6.conf.${name}.autoconf" = 1;
# On wired WANs, allow IPv6 autoconfiguration and tempory address use.
"net.ipv6.conf.wan0.accept_ra" = 2;
"net.ipv6.conf.wan0.autoconf" = 1;
"net.ipv6.conf.wan1.accept_ra" = 2;
"net.ipv6.conf.wan1.autoconf" = 1;
};
};
};

7
nixos/routnerr-3/corerad.nix
View file

@ -22,10 +22,11 @@ in {
interfaces =
# Upstream monitoring interfaces.
lib.forEach [ wan0 ] (ifi: {
name = ifi.name;
[{
# Spectrum, Metronet does not provide IPv6 as of September 2023.
names = [ "wan0" ];
monitor = true;
})
}]
# Downstream advertising interfaces.
++ lib.forEach [ mgmt0 lab0 lan0 guest0 iot0 ] (ifi:

23
nixos/routnerr-3/nftables.nix
View file

@ -28,8 +28,7 @@ let
mkCSV = lib.concatMapStrings (ifi: "${ifi.name}, ");
# WAN interfaces.
unmetered_wans = with vars.interfaces; [ wan0 wan1 ];
all_wans = with vars.interfaces; [ wan0 wan1 ];
all_wans = "wan0, wan1";
# LAN interfaces, segmented into trusted, limited, and untrusted groups.
metered_lans = with vars.interfaces; [ mgmt0 lan0 ];
@ -90,7 +89,7 @@ in {
# Allow all WANs to selectively communicate with the router.
iifname {
${mkCSV all_wans}
${all_wans}
} jump input_wan
# Always allow router solicitation from any LAN.
@ -192,8 +191,8 @@ in {
iifname {
${mkCSV trusted_lans}
} oifname {
${mkCSV unmetered_wans}
} counter accept comment "Allow trusted LANs to unmetered WANs";
${all_wans}
} counter accept comment "Allow trusted LANs to all WANs";
iifname {
${mkCSV trusted_lans}
@ -208,19 +207,19 @@ in {
${mkCSV limited_lans}
${mkCSV untrusted_lans}
} oifname {
${mkCSV unmetered_wans}
} counter accept comment "Allow limited LANs to unmetered WANs";
${all_wans}
} counter accept comment "Allow limited LANs only to WANs";
# All WANs to trusted LANs.
iifname {
${mkCSV all_wans}
${all_wans}
} oifname {
${mkCSV trusted_lans}
} jump forward_wan_trusted_lan
# Unmetered WANs only to limited/untrusted LANs.
# All WANs to limited/untrusted LANs.
iifname {
${mkCSV unmetered_wans}
${all_wans}
} oifname {
${mkCSV limited_lans}
${mkCSV untrusted_lans}
@ -266,7 +265,7 @@ in {
# NAT IPv4 to all WANs.
iifname {
${mkCSV all_wans}
${all_wans}
} jump prerouting_wans
accept
}
@ -287,7 +286,7 @@ in {
type nat hook postrouting priority 0
# Masquerade IPv4 to all WANs.
oifname {
${mkCSV all_wans}
${all_wans}
} masquerade
}
}