From 520979d85b25e5aa5e9e1e2fc8b94b8c953cdb11 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 4 Dec 2023 11:16:44 +0100
Subject: [PATCH] try firewall change

---
 hosts/fw.cloonar.com/modules/firewall.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 19429f2..03779de 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -177,6 +177,8 @@
             iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
             iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
 
+            iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
+
             # Allow trusted network WAN access
             iifname {
               "lan",
@@ -197,11 +199,15 @@
             type nat hook prerouting priority filter; policy accept;
           }
 
+          chain post {
+            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+          }
+
           # Setup NAT masquerading on external interfaces
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
             oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
-            # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
           }
         }
       '';