summaryrefslogtreecommitdiff
path: root/os/kay/modules/network/router.nix
blob: dc2e9ebe87b148d868d560e011a801bb7b2e46b6 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

{ ... }:
let
  wanInterface = "ppp0";

  gponInterface = "enp3s0";
  gponHost = "192.168.38.1";
  gponPrefix = 24;

  lanInterface = "enp8s0f3u1c2";
  lanBridgeInterface = "lan";
  lanPrefix = 24;
  lanHost = "192.168.43.1";

  lanLeaseRangeStart = "192.168.43.100";
  lanLeaseRangeEnd = "192.168.43.254";
  # lanWapMac = "40:86:cb:d7:40:49";
  # lanWapIp = "192.168.43.2";
in
{
  networking = {
    bridges.${lanBridgeInterface}.interfaces = [ lanInterface ];

    nat = {
      enable = true;
      externalInterface = wanInterface;
      internalInterfaces = [ lanBridgeInterface ];
    };
    interfaces = {
      ${lanBridgeInterface}.ipv4.addresses = [
        {
          address = lanHost;
          prefixLength = lanPrefix;
        }
      ];
      ${gponInterface}.ipv4.addresses = [
        {
          address = gponHost;
          prefixLength = gponPrefix;
        }
      ];
    };
    firewall = {
      allowedUDPPorts = [
        53
        67
      ];
      allowedTCPPorts = [ 53 ];
      extraCommands = ''
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
            -o ${wanInterface} \
            -j TCPMSS --clamp-mss-to-pmtu
      '';
      extraStopCommands = ''
        iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \
            -o ${wanInterface} \
            -j TCPMSS --clamp-mss-to-pmtu
      '';
    };
  };

  services = {
    kea.dhcp4 = {
      enable = true;
      settings = {
        interfaces-config.interfaces = [ lanBridgeInterface ];
        lease-database = {
          persist = true;
          type = "memfile";
          name = "/var/lib/kea/dhcp4.leases";
        };
        subnet4 = [
          {
            id = 1;
            pools = [
              {
                pool = "${lanLeaseRangeStart} - ${lanLeaseRangeEnd}";
              }
            ];
            subnet = "${lanHost}/${toString lanPrefix}";
          }
        ];
        rebind-timer = 2000;
        renew-timer = 1000;
        valid-lifetime = 4000;
      };
    };

    resolved = {
      enable = true;
      extraConfig = ''
        DNSStubListenerExtra=${lanHost}
      '';
    };
  };
}