1 files changed, 20 insertions, 9 deletions

diff --git a/config/router.nix b/config/router.nix
index 9f3fe54..0ad0f33 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -16,6 +16,8 @@ in {
   services.tftpd.enable = true;
   services.openntpd.enable = true;
 
+  environment.systemPackages = with pkgs; [ iptables ];
+
   networking.useDHCP = false;
 
   networking.networkmanager.enable = lib.mkForce false;
@@ -167,7 +169,9 @@ in {
       domain (ip ip6) table mangle {
         chain PREROUTING {
           interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark};
-          saddr $NET_HE MARK set-mark ${toString heMark}
+          # Route HE traffic via tunnel.
+          saddr $NET_HE MARK set-mark ${toString heMark};
+          saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark};
         }
       }
     '';
@@ -208,10 +212,10 @@ in {
       noipv6rs
       interface ${wan-dev}
         dhcp
-        ipv6rs
-        iaid 0
+        # ipv6rs
+        # iaid 0
         # ia_na 1
-        ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64
+        # ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64
     '';
   };
   systemd.services.dhcpcd = {
@@ -289,6 +293,7 @@ in {
       # ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true
       # ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
       # ip -6 route flush cache
+      ip -6 rule add fwmark ${toString heMark} table he
     '';
   };
 
@@ -322,11 +327,17 @@ in {
         prefixLength = 64;
       }
     ];
-    routes = [{
-      address = "::";
-      prefixLength = 0;
-      options = { table = "he"; };
-    }];
+    routes = [
+      {
+        address = "::";
+        prefixLength = 0;
+      }
+      {
+        address = "::";
+        prefixLength = 0;
+        options = { table = "he"; };
+      }
+    ];
   };
 
   networking.interfaces."${lan-dev}".useDHCP = false;