bring back he tunnel

author: Kjetil Orbekk <kj@orbekk.com> 2021-08-05 09:45:51 -0400
committer: Kjetil Orbekk <kj@orbekk.com> 2021-08-05 09:45:51 -0400
commit: 4b26721ef5125ec662e34d78dd0957686d156670 (patch)
tree: a2ebbf146491119796c81a2d47a986e5a6049622 /config
parent: 6d57b3f5e495270a25ca6747a433cd806aa42521 (diff)
2 files changed, 32 insertions, 18 deletions
diff --git a/config/dns.nix b/config/dns.nix
index b0e52f6..9b32e6d 100644
--- a/config/dns.nix
+++ b/config/dns.nix
@@ -20,6 +20,7 @@ in
     ];
     extraOptions = ''
       serial-update-method unixtime;
+      listen-on-v6 { 2001:470:8e2e:20::d; };
     '';
     extraConfig = ''
       ${lib.concatMapStrings (zone: ''
diff --git a/config/router.nix b/config/router.nix
index 73ba16d..7244882 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -71,10 +71,7 @@ in {
 
       # Forward dns queries to dnsmasq on LAN interfaces.
       domain (ip ip6) table nat chain PREROUTING {
-        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 DNAT to 127.0.0.1:2053;
-      }
-      domain (ip ip6) table filter chain FORWARD {
-        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) outerface lo proto (tcp udp) dport 2053 ACCEPT;
+        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 REDIRECT to-ports 2053;
       }
 
       domain (ip ip6) table filter {
@@ -91,10 +88,11 @@ in {
 
           proto 41 ACCEPT;  # IPv6 sit tunnel
 
-          interface ($DEV_WAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" {
+          interface ($DEV_WAN $DEV_LAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" {
             # Valheim
             proto udp dport (3400 3401 3402) ACCEPT;
 
+            proto (tcp udp) dport 2053 ACCEPT;
             proto (tcp udp) dport (bootpc bootps) ACCEPT;
             proto tcp dport ssh ACCEPT;
             proto (tcp udp) dport domain ACCEPT;
@@ -103,13 +101,9 @@ in {
           }
 
           interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" {
-            # Valheim
-            proto udp dport (3400 3401 3402) ACCEPT;
-
             proto (tcp udp) dport 5000 ACCEPT; # random debugging
 
             proto (tcp udp) dport (ssh domain bootpc bootps ntp) ACCEPT;
-            proto tcp dport (http https) ACCEPT;
             # prometheus temp rule
             proto tcp dport 11112 ACCEPT;
             proto (tcp udp) dport tftp ACCEPT;
@@ -122,11 +116,6 @@ in {
             # proto udp dport (5353 1900) ACCEPT;
             # proto tcp dport (8008 8009) ACCEPT;
 
-            chain logdrop {
-              LOG log-level warning log-prefix "dropped-lan ";
-              DROP;
-            }
-
             interface $DEV_LAN jump logdrop;
           }
         }
@@ -163,6 +152,7 @@ in {
       domain ip table nat {
         chain POSTROUTING {
           saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
+          # saddr $NET_LAN daddr 172.20.30.1 MASQUERADE;
         }
       }
 
@@ -230,19 +220,38 @@ in {
     resolveLocalQueries = false;
     extraConfig = ''
       port=2053
+
       no-resolv
       address=/test-dns.orbekk.com/::1
 
       dhcp-authoritative
 
+      # Null AAAA response on these domains
+      server=/netflix.com/#
+      address=/netflix.com/::
+      server=/netflix.net/#
+      address=/netflix.net/::
+      server=/nflxext.com/#
+      address=/nflxext.com/::
+      server=/nflximg.net/#
+      address=/nflximg.net/::
+      server=/nflxvideo.net/#
+      address=/nflxvideo.net/::
+      server=/nflxso.net/#
+      address=/nflxso.net/::
+
       dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m
       dhcp-option=net:vlan30,option:router,172.20.30.1
+      dhcp-option=net:vlan30,option:dns-server,172.20.30.1
 
       dhcp-range=vlan100,172.20.100.50,172.20.100.254,5m
+      dhcp-range=vlan100,::100,::500,constructor:bond0.100,slaac
       dhcp-option=net:vlan100,option:router,172.20.100.1
+      dhcp-option=net:vlan100,option:dns-server,172.20.100.1
 
       dhcp-range=vlan32,172.20.32.50,172.20.32.254,5m
       dhcp-option=net:vlan32,option:router,172.20.32.1
+      dhcp-option=net:vlan32,option:dns-server,172.20.32.1
 
       dhcp-option=option:dns-server,1.1.1.1,8.8.8.8,8.8.4.4
 
@@ -269,9 +278,9 @@ in {
     wantedBy = [ "multi-user.target" ];
     path = [ pkgs.iproute ];
     script = ''
-      ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true
-      ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
-      ip -6 route flush cache
+      # ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true
+      # ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
+      # ip -6 route flush cache
     '';
   };
 
@@ -305,7 +314,7 @@ in {
         prefixLength = 64;
       }
     ];
-    # routes = [{ address = "::"; prefixLength = 0; }];
+    routes = [{ address = "::"; prefixLength = 0; }];
   };
 
   networking.interfaces."${lan-dev}".useDHCP = false;
@@ -325,6 +334,10 @@ in {
       address = "172.20.100.1";
       prefixLength = 24;
     }];
+    ipv6.addresses = [{
+      address = "2001:470:8e2e:100::1";
+      prefixLength = 64;
+    }];
     useDHCP = false;
   };
   networking.interfaces."${lan-dev}.30" = {
author	Kjetil Orbekk <kj@orbekk.com>	2021-08-05 09:45:51 -0400
committer	Kjetil Orbekk <kj@orbekk.com>	2021-08-05 09:45:51 -0400
commit	4b26721ef5125ec662e34d78dd0957686d156670 (patch)
tree	a2ebbf146491119796c81a2d47a986e5a6049622 /config
parent	6d57b3f5e495270a25ca6747a433cd806aa42521 (diff)