nixos/hosts/fw.cloonar.com/modules/firewall.nix

{ ... }: {
  networking = {
    nat.enable = false;
    firewall.enable = false;
    nftables = {
      enable = true;
      ruleset = ''
        table inet filter {
          # enable flow offloading for better throughput
          flowtable f {
            hook ingress priority 0;
            devices = { lan, server, wg0, smart, multimedia, guest };
          }

          chain output {
            type filter hook output priority 100; policy accept;
          }

          chain input {
            type filter hook input priority filter; policy drop;

            # Allow trusted networks to access the router
            iifname {
              "lan",
              "wg0"
            } counter accept

            # Accept mDNS for avahi reflection
            iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
            iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept

            # Allow returning traffic from wg0 and drop everthing else
            iifname "wg0" ct state { established, related } counter accept
            iifname "wg0" drop
          }

          chain forward {
            type filter hook forward priority filter; policy drop;

            # enable flow offloading for better throughput
            ip protocol { tcp, udp } flow offload @f

            # multimedia airplay
            iifname "multimedia" oifname { "lan" } counter accept

            # lan and vpn to any
            iifname { "lan", "wg0" } oifname { "server", "multimedia", "smart", "wrwks" } counter accept

            # Allow trusted network WAN access
            iifname {
              "lan",
              "server",
              "multimedia",
              "smart",
              "wg0",
            } oifname {
              "wan",
            } counter accept comment "Allow trusted LAN to WAN"

            # Allow established WAN to return
            iifname {
              "wan",
            } oifname {
              "lan",
              "server",
              "multimedia",
              "smart",
              "wg0",
            } ct state established,related counter accept comment "Allow established back to LANs"
          }
        }

        table ip nat {
          chain prerouting {
            type nat hook prerouting priority filter; policy accept;
          }

          # Setup NAT masquerading on the ppp0 interface
          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
            oifname { "wan", "wrwks" } masquerade
          }
        }
      '';
    };
  };
}