add initial fw configs

2023-11-10 18:40:26 +01:00
parent aaf92c8953
commit 3260eaf3a3
10 changed files with 301 additions and 0 deletions
--- a/hosts/fw.cloonar.com/modules/avahi.nix
+++ b/hosts/fw.cloonar.com/modules/avahi.nix
@@ -0,0 +1,10 @@
+{ ... }: {
+  services.avahi = {
+    enable = true;
+    reflector = true;
+    interfaces = [
+      "lan"
+      "multimedia"
+    ];
+  };
+}
--- a/hosts/fw.cloonar.com/modules/dhcp4.nix
+++ b/hosts/fw.cloonar.com/modules/dhcp4.nix
@@ -0,0 +1,45 @@
+{ ... }: {
+  services.dhcpd4 = {
+    enable = true;
+    interfaces = [ "lan" "server" "smart" "multimedia" "guest" ];
+    extraConfig = ''
+      option domain-name-servers 10.42.97.1, 9.9.9.9;
+      option subnet-mask 255.255.255.0;
+
+      subnet 10.42.96.0 netmask 255.255.255.0 {
+        option broadcast-address 10.42.96.255;
+        option routers 10.42.97.1;
+        interface lan;
+        range 10.42.96.128 10.42.96.254;
+      }
+
+      subnet 10.42.97.0 netmask 255.255.255.0 {
+        option broadcast-address 10.42.97.255;
+        option routers 10.42.97.1;
+        interface server;
+        range 10.42.96.128 10.42.97.254;
+      }
+
+      subnet 10.42.99.0 netmask 255.255.255.0 {
+        option broadcast-address 10.42.99.255;
+        option routers 10.42.99.1;
+        interface multimedia;
+        range 10.42.99.128 10.42.99.254;
+      }
+
+      subnet 10.42.100.0 netmask 255.255.255.0 {
+        option broadcast-address 10.42.100.255;
+        option routers 10.42.100.1;
+        interface smart;
+        range 10.42.100.128 10.42.100.254;
+      }
+
+      subnet 10.42.254.0 netmask 255.255.255.0 {
+        option broadcast-address 10.42.254.255;
+        option routers 10.42.254.1;
+        interface guest;
+        range 10.42.100.128 10.42.254.254;
+      }
+    '';
+  };
+}
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -0,0 +1,87 @@
+{ ... }: {
+  networking = {
+    nat.enable = false;
+    firewall.enable = false;
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet filter {
+          # enable flow offloading for better throughput
+          flowtable f {
+            hook ingress priority 0;
+            devices = { lan, server, wg0, smart, multimedia, guest };
+          }
+
+          chain output {
+            type filter hook output priority 100; policy accept;
+          }
+
+          chain input {
+            type filter hook input priority filter; policy drop;
+
+            # Allow trusted networks to access the router
+            iifname {
+              "lan",
+              "wg0"
+            } counter accept
+
+            # Accept mDNS for avahi reflection
+            iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
+            iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept
+
+            # Allow returning traffic from wg0 and drop everthing else
+            iifname "wg0" ct state { established, related } counter accept
+            iifname "wg0" drop
+          }
+
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            # enable flow offloading for better throughput
+            ip protocol { tcp, udp } flow offload @f
+
+            # multimedia airplay
+            iifname "multimedia" oifname { "lan" } counter accept
+
+            # lan and vpn to any
+            iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept
+
+            # Allow trusted network WAN access
+            iifname {
+              "lan",
+              "server",
+              "multimedia",
+              "smart",
+              "wg0",
+            } oifname {
+              "wan",
+            } counter accept comment "Allow trusted LAN to WAN"
+
+            # Allow established WAN to return
+            iifname {
+              "wan",
+            } oifname {
+              "lan",
+              "server",
+              "multimedia",
+              "smart",
+              "wg0",
+            } ct state established,related counter accept comment "Allow established back to LANs"
+          }
+        }
+
+        table ip nat {
+          chain prerouting {
+            type nat hook prerouting priority filter; policy accept;
+          }
+
+          # Setup NAT masquerading on the ppp0 interface
+          chain postrouting {
+            type nat hook postrouting priority filter; policy accept;
+            oifname { "wan", "wrwks" } masquerade
+          }
+        }
+      '';
+    };
+  };
+}
--- a/hosts/fw.cloonar.com/modules/networking.nix
+++ b/hosts/fw.cloonar.com/modules/networking.nix
@@ -0,0 +1,74 @@
+{ ... }: {
+  networking = {
+    useDHCP = false;
+    nameserver = [ "9.9.9.9" "149.112.112.112" ];
+    # Define VLANS
+    vlans = {
+      wan = {
+        id = 10;
+        interface = "enp1s0";
+      };
+      lan = {
+        id = 1;
+        interface = "enp2s0";
+      };
+      server = {
+        id = 2;
+        interface = "enp3s0";
+      };
+      multimedia = {
+        id = 3;
+        interface = "enp4s0";
+      };
+      smart = {
+        id = 4094;
+        interface = "enp4s0";
+      };
+      guest = {
+        id = 100;
+        interface = "enp4s0";
+      };
+    };
+
+    interfaces = {
+      # Don't request DHCP on the physical interfaces
+      enp1s0.useDHCP = false;
+      enp2s0.useDHCP = false;
+      enp3s0.useDHCP = false;
+      enp4s0.useDHCP = false;
+      
+      # Handle the VLANs
+      wan.useDHCP = true;
+      lan = {
+        ipv4.addresses = [{
+          address = "10.42.96.1";
+          prefixLength = 24;
+        }];
+      };
+      server = {
+        ipv4.addresses = [{
+          address = "10.42.97.1";
+          prefixLength = 24;
+        }];
+      };
+      multimedia = {
+        ipv4.addresses = [{
+          address = "10.42.99.1";
+          prefixLength = 24;
+        }];
+      };
+      smart = {
+        ipv4.addresses = [{
+          address = "10.42.100.1";
+          prefixLength = 24;
+        }];
+      };
+      guest = {
+        ipv4.addresses = [{
+          address = "10.42.254.1";
+          prefixLength = 24;
+        }];
+      };
+    };
+  };
+}
--- a/hosts/fw.cloonar.com/modules/openconnect.nix
+++ b/hosts/fw.cloonar.com/modules/openconnect.nix
@@ -0,0 +1,10 @@
+{ ... }: {
+  networking.openconnect.interfaces = {
+    wrwks = {
+      gateway = "vpn.wrwks.at";
+      passwordFile = "/var/lib/secrets/openconnect-passwd";
+      protocol = "anyconnect";
+      user = "exdpolakovics@wrwks.local";
+    };
+  };
+}