try macvlan again

hosts/fw.cloonar.com/modules/firewall.nix

@@ -126,6 +126,7 @@
             # Allow trusted networks to access the router
             iifname {
               "wan", # disable when final
+              "server",
               "lan",
               "wg_cloonar"
             } counter accept
@@ -133,6 +134,7 @@
             # Allow networks to access the dns and dhcp
             iifname {
               "lan",
+              "server",
               "vb-*",
               "podman0",
               "infrastructure",
@@ -142,6 +144,7 @@
             } udp dport { 53, 67, 68 } counter accept
             iifname {
               "lan",
+              "server",
               "podman0",
               "vb-*",
               "infrastructure",
@@ -172,11 +175,11 @@
             # multimedia airplay
             iifname "multimedia" oifname { "lan" } counter accept
 
-            iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces"
 
             # lan and vpn to any
             # TODO: disable wan when finished
-            iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
+            iifname { "wan", "lan", "server", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "server", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
             iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
 
             # Allow trusted network WAN access
@@ -184,6 +187,7 @@
               "lan",
               "infrastructure",
               "vb-*",
+              "server"
               "podman0",
               "multimedia",
               "smart",
@@ -200,14 +204,14 @@
           }
 
           chain post {
-            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
           }
 
           # Setup NAT masquerading on external interfaces
           chain postrouting {
             type nat hook postrouting priority filter; policy accept;
             oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
-            iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
+            # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces"
           }
         }
       '';

hosts/fw.cloonar.com/modules/gitea.nix

@@ -101,10 +101,10 @@ in
     extraFlags = [ "-U" ];
     autoStart = true;
     ephemeral = true;
-    # macvlans = [ "vserver" ];
-    privateNetwork = true;
-    hostBridge = "server";
-    localAddress = "10.42.97.2";
+    macvlans = [ "vserver" ];
+    # privateNetwork = true;
+    # hostBridge = "server";
+    # localAddress = "10.42.97.2";
     bindMounts = {
       "/var/lib/gitea" = {
         hostPath = "/var/lib/gitea/";
@@ -120,9 +120,9 @@ in
     config = { lib, config, pkgs, ... }: {
       networking = {
         hostName = "gitea";
-        interfaces.eth0 = {
-          useDHCP = true;
-          # ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ];
+        # interfaces.eth0.useDHCP = true;
+        interfaces.mv-vserver = {
+          ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ];
         };
         # firewall = {
         #   enable = true;

hosts/fw.cloonar.com/modules/networking.nix

@@ -47,15 +47,15 @@
         interface = "enp5s0";
       };
     };
-    # macvlans.server = {
-    #   interface = "vserver";
-    #   mode = "bridge";
+    macvlans.server = {
+      interface = "vserver";
+      mode = "bridge";
+    };
+    # bridges = {
+    #   server = {
+    #     interfaces = [ "vserver" ];
+    #   };
     # };
-    bridges = {
-      server = {
-        interfaces = [ "vserver" ];
-      };
-    };
 
     interfaces = {
       # Don't request DHCP on the physical interfaces