diff options
| author | Karel Kočí <cynerd@email.cz> | 2023-01-22 23:41:59 +0100 |
|---|---|---|
| committer | Karel Kočí <cynerd@email.cz> | 2023-01-22 23:41:59 +0100 |
| commit | d965ae516e238dde8f22234859b81a5a25b7f726 (patch) | |
| tree | 2b292d0d61da9300f91fb13a913fc92778943b55 /nixos/modules/router.nix | |
| parent | 3a87a3276110b86345e3fd73af1ef5a707a5b4b9 (diff) | |
| download | nixos-personal-d965ae516e238dde8f22234859b81a5a25b7f726.tar.gz nixos-personal-d965ae516e238dde8f22234859b81a5a25b7f726.tar.bz2 nixos-personal-d965ae516e238dde8f22234859b81a5a25b7f726.zip | |
nixos: some initial router configuration
Diffstat (limited to 'nixos/modules/router.nix')
| -rw-r--r-- | nixos/modules/router.nix | 55 |
1 files changed, 41 insertions, 14 deletions
diff --git a/nixos/modules/router.nix b/nixos/modules/router.nix index e149633..f5c8668 100644 --- a/nixos/modules/router.nix +++ b/nixos/modules/router.nix @@ -18,11 +18,6 @@ in { type = types.str; description = "Interface for the router's WAN"; }; - brlan = mkOption { - type = types.str; - default = "brlan"; - description = "LAN interface (commonly some bridge)"; - }; lanIP = mkOption { type = types.str; description = "LAN IP address"; @@ -47,16 +42,34 @@ in { config = mkIf cnf.enable { networking = { - interfaces."${cnf.brlan}".ipv4.addresses = [ - { - address = cnf.lanIP; - prefixLength = cnf.lanPrefix; - } - ]; + interfaces = { + brlan.ipv4.addresses = [ + { + address = cnf.lanIP; + prefixLength = cnf.lanPrefix; + } + ]; + brguest.ipv4.addresses = [ + { + address = "192.168.1.1"; + prefixLength = 24; + } + ]; + }; + vlans = { + "brlan.guest" = { + interface = "brlan"; + id = 100; + }; + }; + bridges = { + brlan.interfaces = []; + brguest.interfaces = ["brlan.guest"]; + }; nat = { enable = true; externalInterface = cnf.wan; - internalInterfaces = [cnf.brlan]; + internalInterfaces = ["brlan" "brguest"]; }; dhcpcd.allowInterfaces = [cnf.wan]; nameservers = ["1.1.1.1" "8.8.8.8"]; @@ -65,7 +78,7 @@ in { services.dhcpd4 = { enable = true; authoritative = true; - interfaces = [cnf.brlan]; + interfaces = ["brlan" "brguest"]; extraConfig = '' option domain-name-servers 1.1.1.1, 8.8.8.8; subnet ${ipv4.prefix2ip cnf.lanIP cnf.lanPrefix} netmask ${ipv4.prefix2netmask cnf.lanPrefix} { @@ -78,6 +91,12 @@ in { option subnet-mask ${ipv4.prefix2netmask cnf.lanPrefix}; option broadcast-address ${ipv4.prefix2broadcast cnf.lanIP cnf.lanPrefix}; } + subnet 192.168.1.0 netmask 255.255.255.0 { + range 192.168.1.50 192.168.1.254; + option routers 192.168.1.1; + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.1.255; + } ''; }; @@ -85,7 +104,7 @@ in { # TODO enable = false; authoritative = true; - interfaces = [cnf.brlan]; + interfaces = ["brlan"]; extraConfig = '' ''; }; @@ -93,5 +112,13 @@ in { services.kresd = { enable = false; }; + + networking.nftables.enable = true; + networking.firewall = { + filterForward = true; + extraForwardRules = '' + iifname "brguest" oifname != "${cnf.wan}" drop comment "prevent guest to access lan" + ''; + }; }; } |