From 1233ac2d14a8f6c04faea2d727a982ce8399e54d Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Wed, 4 Nov 2020 14:27:19 +0000 Subject: [PATCH] swann: tweak firewall params --- ops/nixos/swann/default.nix | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index a1036806c0..791f25e7a6 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -62,6 +62,10 @@ in { enable = true; externalInterface = "ens-virginmedia"; internalInterfaces = ["ens-general"]; + forwardPorts = [ + { destination = "192.168.1.40:22"; proto = "tcp"; sourcePort = 10022; } + { destination = "192.168.1.40:41641"; proto = "udp"; sourcePort = 41641; } + ]; }; services.dhcpd4 = { enable = true; @@ -79,16 +83,33 @@ in { range 192.168.1.100 192.168.1.200; } ''; + machines = [ + { + hostName = "totoro"; + ethernetAddress = "40:8d:5c:1f:e8:68"; + ipAddress = "192.168.1.40"; + } + { + hostName = "totoro-pfsense"; + ethernetAddress = "52:54:00:cf:cd:94"; + ipAddress = "192.168.1.41"; + } + { + hostName = "kvm"; + ethernetAddress = "00:0d:5d:1b:14:ba"; + ipAddress = "192.168.1.50"; + } + ]; }; networking.localCommands = '' tc qdisc del dev ens-virginmedia root || true - tc qdisc add dev ens-virginmedia root cake bandwidth 30Mbit docsis nat dual-srchost + tc qdisc add dev ens-virginmedia root cake bandwidth 20Mbit docsis nat dual-srchost ip link add name ifb-virginmedia type ifb || true tc qdisc del dev ens-virginmedia ingress || true tc qdisc add dev ens-virginmedia handle ffff: ingress tc qdisc del dev ifb-virginmedia root || true - tc qdisc add dev ifb-virginmedia root cake bandwidth 500Mbit besteffort docsis nat wash dual-dsthost + tc qdisc add dev ifb-virginmedia root cake bandwidth 450Mbit besteffort docsis nat wash dual-dsthost ip link set dev ifb-virginmedia up tc filter add dev ens-virginmedia parent ffff: matchall action mirred egress redirect dev ifb-virginmedia '';