try macvlan again

2023-12-04 11:50:24 +01:00
parent 5daf793143
commit 906725fb9b
3 changed files with 23 additions and 19 deletions
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -126,6 +126,7 @@
            # Allow trusted networks to access the router
            iifname {
              "wan", # disable when final
+              "server",
              "lan",
              "wg_cloonar"
            } counter accept
@@ -133,6 +134,7 @@
            # Allow networks to access the dns and dhcp
            iifname {
              "lan",
+              "server",
              "vb-*",
              "podman0",
              "infrastructure",
@@ -142,6 +144,7 @@
            } udp dport { 53, 67, 68 } counter accept
            iifname {
              "lan",
+              "server",
              "podman0",
              "vb-*",
              "infrastructure",
@@ -172,11 +175,11 @@
            # multimedia airplay
            iifname "multimedia" oifname { "lan" } counter accept

-            iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"

            # lan and vpn to any
            # TODO: disable wan when finished
-            iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
+            iifname { "wan", "lan", "server", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "server", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
            iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept

            # Allow trusted network WAN access
@@ -184,6 +187,7 @@
              "lan",
              "infrastructure",
              "vb-*",
+              "server"
              "podman0",
              "multimedia",
              "smart",
@@ -200,14 +204,14 @@
          }

          chain post {
-            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
          }

          # Setup NAT masquerading on external interfaces
          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
            oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
-            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
          }
        }
      '';