router config

author: Kjetil Orbekk <kj@orbekk.com> 2022-09-24 12:05:42 -0400
committer: Kjetil Orbekk <kj@orbekk.com> 2022-09-24 12:05:53 -0400
commit: e779ee508003722f736dc77f001bf1c6805fef83 (patch)
tree: 546a0a03359e821cacb413f1c74485ba2ced3777 /config
parent: 5204c7a257d2f479662e8ed4d86304bbd992d3be (diff)
1 files changed, 15 insertions, 10 deletions
diff --git a/config/router.nix b/config/router.nix
index 9f0e944..9cc1ffb 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -6,6 +6,7 @@ let
   wireguardPorts =
     [ config.orbekk.mullvad.listenPort config.orbekk.vpn.listenPort ];
   mullvadMark = 30;
+  heMark = 200;
   # nycmeshMark = 32;
   aliases = import ../data/aliases.nix;
 in {
@@ -19,12 +20,8 @@ in {
 
   networking.networkmanager.enable = lib.mkForce false;
 
-  networking.nameservers = [
-    "1.1.1.1"
-    "1.0.0.1"
-    "2606:4700:4700::1111"
-    "2606:4700:4700::1001"
-  ];
+  networking.nameservers =
+    [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
 
   networking.vlans = builtins.listToAttrs (map (id: {
     name = "${lan-dev}.${toString id}";
@@ -77,6 +74,7 @@ in {
       @def $DEV_ADMIN = (${lan-dev}.255);
       @def $DEV_WAN = (${wan-dev} he0 mullvad);
       @def $NET_LAN = (172.20.0.0/16);
+      @def $NET_HE = (2001:470:8e2e::/48);
 
       # Forward dns queries to dnsmasq on LAN interfaces.
       domain (ip ip6) table nat chain PREROUTING {
@@ -106,7 +104,9 @@ in {
             proto tcp dport ssh ACCEPT;
             proto (tcp udp) dport domain ACCEPT;
             proto tcp dport (http https) ACCEPT;
-            proto udp dport (${lib.concatStringsSep " " (map toString wireguardPorts)}) ACCEPT;
+            proto udp dport (${
+              lib.concatStringsSep " " (map toString wireguardPorts)
+            }) ACCEPT;
           }
 
           interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" {
@@ -167,6 +167,7 @@ in {
       domain (ip ip6) table mangle {
         chain PREROUTING {
           interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark};
+          saddr $NET_HE MARK set-mark ${toString heMark}
         }
       }
     '';
@@ -273,8 +274,8 @@ in {
   networking.iproute2.enable = true;
   # ${toString nycmeshMark} nycmesh
   networking.iproute2.rttablesExtraConfig = ''
-     ${toString mullvadMark} mullvad
-    200 he
+    ${toString mullvadMark} mullvad
+    ${toString heMark} he
   '';
 
   systemd.services.network-route-setup = {
@@ -320,7 +321,11 @@ in {
         prefixLength = 64;
       }
     ];
-    routes = [{ address = "::"; prefixLength = 0; }];
+    routes = [{
+      address = "::";
+      prefixLength = 0;
+      options = { table = "he"; };
+    }];
   };
 
   networking.interfaces."${lan-dev}".useDHCP = false;
author	Kjetil Orbekk <kj@orbekk.com>	2022-09-24 12:05:42 -0400
committer	Kjetil Orbekk <kj@orbekk.com>	2022-09-24 12:05:53 -0400
commit	e779ee508003722f736dc77f001bf1c6805fef83 (patch)
tree	546a0a03359e821cacb413f1c74485ba2ced3777 /config
parent	5204c7a257d2f479662e8ed4d86304bbd992d3be (diff)