try macvlan again
This commit is contained in:
@@ -126,6 +126,7 @@
|
|||||||
# Allow trusted networks to access the router
|
# Allow trusted networks to access the router
|
||||||
iifname {
|
iifname {
|
||||||
"wan", # disable when final
|
"wan", # disable when final
|
||||||
|
"server",
|
||||||
"lan",
|
"lan",
|
||||||
"wg_cloonar"
|
"wg_cloonar"
|
||||||
} counter accept
|
} counter accept
|
||||||
@@ -133,6 +134,7 @@
|
|||||||
# Allow networks to access the dns and dhcp
|
# Allow networks to access the dns and dhcp
|
||||||
iifname {
|
iifname {
|
||||||
"lan",
|
"lan",
|
||||||
|
"server",
|
||||||
"vb-*",
|
"vb-*",
|
||||||
"podman0",
|
"podman0",
|
||||||
"infrastructure",
|
"infrastructure",
|
||||||
@@ -142,6 +144,7 @@
|
|||||||
} udp dport { 53, 67, 68 } counter accept
|
} udp dport { 53, 67, 68 } counter accept
|
||||||
iifname {
|
iifname {
|
||||||
"lan",
|
"lan",
|
||||||
|
"server",
|
||||||
"podman0",
|
"podman0",
|
||||||
"vb-*",
|
"vb-*",
|
||||||
"infrastructure",
|
"infrastructure",
|
||||||
@@ -172,11 +175,11 @@
|
|||||||
# multimedia airplay
|
# multimedia airplay
|
||||||
iifname "multimedia" oifname { "lan" } counter accept
|
iifname "multimedia" oifname { "lan" } counter accept
|
||||||
|
|
||||||
iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
|
# iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
|
||||||
|
|
||||||
# lan and vpn to any
|
# lan and vpn to any
|
||||||
# TODO: disable wan when finished
|
# TODO: disable wan when finished
|
||||||
iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
|
iifname { "wan", "lan", "server", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "server", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
|
||||||
iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
|
iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
|
||||||
|
|
||||||
# Allow trusted network WAN access
|
# Allow trusted network WAN access
|
||||||
@@ -184,6 +187,7 @@
|
|||||||
"lan",
|
"lan",
|
||||||
"infrastructure",
|
"infrastructure",
|
||||||
"vb-*",
|
"vb-*",
|
||||||
|
"server"
|
||||||
"podman0",
|
"podman0",
|
||||||
"multimedia",
|
"multimedia",
|
||||||
"smart",
|
"smart",
|
||||||
@@ -200,14 +204,14 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain post {
|
chain post {
|
||||||
iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
|
# iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Setup NAT masquerading on external interfaces
|
# Setup NAT masquerading on external interfaces
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority filter; policy accept;
|
type nat hook postrouting priority filter; policy accept;
|
||||||
oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
|
oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
|
||||||
iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
|
# iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|||||||
@@ -101,10 +101,10 @@ in
|
|||||||
extraFlags = [ "-U" ];
|
extraFlags = [ "-U" ];
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
ephemeral = true;
|
ephemeral = true;
|
||||||
# macvlans = [ "vserver" ];
|
macvlans = [ "vserver" ];
|
||||||
privateNetwork = true;
|
# privateNetwork = true;
|
||||||
hostBridge = "server";
|
# hostBridge = "server";
|
||||||
localAddress = "10.42.97.2";
|
# localAddress = "10.42.97.2";
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
"/var/lib/gitea" = {
|
"/var/lib/gitea" = {
|
||||||
hostPath = "/var/lib/gitea/";
|
hostPath = "/var/lib/gitea/";
|
||||||
@@ -120,9 +120,9 @@ in
|
|||||||
config = { lib, config, pkgs, ... }: {
|
config = { lib, config, pkgs, ... }: {
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "gitea";
|
hostName = "gitea";
|
||||||
interfaces.eth0 = {
|
# interfaces.eth0.useDHCP = true;
|
||||||
useDHCP = true;
|
interfaces.mv-vserver = {
|
||||||
# ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ];
|
ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ];
|
||||||
};
|
};
|
||||||
# firewall = {
|
# firewall = {
|
||||||
# enable = true;
|
# enable = true;
|
||||||
|
|||||||
@@ -47,15 +47,15 @@
|
|||||||
interface = "enp5s0";
|
interface = "enp5s0";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# macvlans.server = {
|
macvlans.server = {
|
||||||
# interface = "vserver";
|
interface = "vserver";
|
||||||
# mode = "bridge";
|
mode = "bridge";
|
||||||
|
};
|
||||||
|
# bridges = {
|
||||||
|
# server = {
|
||||||
|
# interfaces = [ "vserver" ];
|
||||||
|
# };
|
||||||
# };
|
# };
|
||||||
bridges = {
|
|
||||||
server = {
|
|
||||||
interfaces = [ "vserver" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
interfaces = {
|
interfaces = {
|
||||||
# Don't request DHCP on the physical interfaces
|
# Don't request DHCP on the physical interfaces
|
||||||
|
|||||||
Reference in New Issue
Block a user