diff options
Diffstat (limited to 'config/router.nix')
-rw-r--r-- | config/router.nix | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/config/router.nix b/config/router.nix index 0724420..735b1b2 100644 --- a/config/router.nix +++ b/config/router.nix @@ -42,7 +42,8 @@ in services.ferm = { enable = true; config = '' - @def $DEV_LAN = (${lan-dev}.30 ${lan-dev}.100 ${lan-dev}.255); + @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30); + @def $DEV_LAN = (${lan-dev}.100 ${lan-dev}.255); @def $DEV_WAN = (${wan-dev} he0 mullvad); @def $NET_LAN = 10.0.0.0/8; @@ -53,8 +54,6 @@ in mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; - interface mullvad MARK set-mark ${toString mullvadMark}; - interface lo ACCEPT; proto icmp ACCEPT; @@ -62,7 +61,7 @@ in proto 41 ACCEPT; # IPv6 sit tunnel - interface $DEV_WAN @subchain "wan_services" { + interface ($DEV_WAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" { proto (tcp udp) dport (bootpc bootps) ACCEPT; proto tcp dport ssh ACCEPT; proto (tcp udp) dport domain ACCEPT; @@ -98,6 +97,7 @@ in mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; + interface $DEV_UNTRUSTED_LAN outerface mullvad ACCEPT; interface $DEV_LAN ACCEPT; } } @@ -121,6 +121,12 @@ in saddr $NET_LAN outerface $DEV_WAN MASQUERADE; } } + + domain (ip ip6) table mangle { + chain PREROUTING { + interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; + } + } ''; }; @@ -175,7 +181,7 @@ in port=0 dhcp-authoritative dhcp-range=10.65.30.100,10.65.30.255,255.255.255.0,24h - dhcp-range=10.64.31.1,10.64.31.255,255.255.255.0,24h + dhcp-range=10.64.31.1,10.64.31.255,255.255.254.0,24h dhcp-option=option:router,10.65.30.1 dhcp-option=option:dns-server,1.1.1.1,8.8.8.8,8.8.4.4 dhcp-option=option:netmask,255.255.255.0 @@ -202,8 +208,10 @@ in ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he ip -6 route flush cache + ip route flush cache ip rule add fwmark ${toString mullvadMark} table mullvad - ip route add default dev mullvad table mullvad + ip route replace default dev mullvad table mullvad + ip route flush cache ''; # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; |