Created
September 20, 2024 10:59
-
-
Save noflcl/2477be2bb06ccd72709b6fe8a58c6850 to your computer and use it in GitHub Desktop.
nixos router
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ```nix | |
| { config, pkgs, ... }: | |
| { | |
| boot.kernel = { | |
| sysctl = { | |
| "net.ipv4.conf.all.forwarding" = 1; | |
| "net.ipv4.conf.default.rp_filter" = 1; | |
| "net.ipv4.conf.WAN.rp_filter" = 1; | |
| "net.ipv4.conf.br0.rp_filter" = 0; | |
| }; | |
| }; | |
| services = { | |
| udev.extraRules = '' | |
| ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:15:17:79:54:05", NAME="WAN" | |
| ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:15:17:79:54:04", NAME="LAN0" | |
| ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:15:17:79:54:07", NAME="LAN1" | |
| ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:15:17:79:54:06", NAME="LAN2" | |
| ''; | |
| dnsmasq = { | |
| enable = true; | |
| settings = { | |
| server = [ "9.9.9.9" "76.76.2.0" ]; | |
| domain-needed = true; | |
| bogus-priv = true; | |
| no-resolv = true; | |
| cache-size = 1000; | |
| dhcp-range = [ "br0,10.0.0.55,10.0.0.95,5m" ]; | |
| interface = "br0"; | |
| dhcp-host = "10.0.0.1"; | |
| local = "/lan/"; | |
| domain = "lan"; | |
| expand-hosts = true; | |
| no-hosts = true; | |
| address = "/router.lan/10.0.0.1"; | |
| }; | |
| }; | |
| resolved = { | |
| enable = false; | |
| }; | |
| }; | |
| systemd.network.wait-online.anyInterface = true; | |
| networking = { | |
| hostName = "router"; | |
| networkmanager.enable = lib.mkForce false; | |
| useNetworkd = true; | |
| usePredictableInterfaceNames = false; | |
| useDHCP = false; | |
| # No local firewall. | |
| nat.enable = false; | |
| firewall.enable = false; | |
| nftables = { | |
| enable = true; | |
| ruleset = '' | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| iifname { "br0" } accept comment "Allow local network to access the router" | |
| iifname "WAN" ct state { established, related } accept comment "Allow established traffic" | |
| iifname "WAN" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" | |
| iifname "WAN" counter drop comment "Drop all other unsolicited traffic from WAN" | |
| iifname "lo" accept comment "Accept everything from loopback interface" | |
| } | |
| chain forward { | |
| type filter hook forward priority filter; policy drop; | |
| iifname { "br0" } oifname { "WAN" } accept comment "Allow trusted LAN to WAN" | |
| iifname { "WAN" } oifname { "br0" } ct state { established, related } accept comment "Allow established back to LANs" | |
| } | |
| } | |
| table ip nat { | |
| chain postrouting { | |
| type nat hook postrouting priority 100; policy accept; | |
| oifname "WAN" masquerade | |
| } | |
| } | |
| ''; | |
| }; | |
| bridges = { | |
| br0 = { | |
| interfaces = [ "LAN0" "LAN1" "LAN2" ]; | |
| }; | |
| }; | |
| interfaces = { | |
| "WAN" = { | |
| useDHCP = true; | |
| tempAddress = "disabled"; | |
| }; | |
| "br0" = { | |
| ipv4.addresses = [ { address = "10.0.0.1"; prefixLength = 24; } ]; | |
| useDHCP = false; | |
| macAddress = "AA:BB:CC:DD:EE:FF"; # Something static & unique, I literally used this | |
| }; | |
| }; | |
| }; | |
| } | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment