diff --git a/ops/nixos/blade-tuvok/default.nix b/ops/nixos/blade-tuvok/default.nix index 96cb392ea1..da5db4d0dc 100644 --- a/ops/nixos/blade-tuvok/default.nix +++ b/ops/nixos/blade-tuvok/default.nix @@ -128,13 +128,6 @@ in { }; in { enable = true; - interfaces.wg-swann-vm = swannBase // { - ips = [ - "2a09:a442::1:2/112" - "92.118.30.1/31" - ]; - listenPort = 51820; - }; interfaces.wg-swann-ee = swannBase // { ips = [ "2a09:a442::2:2/112" @@ -175,10 +168,6 @@ in { protocol static export4 { ipv4 {}; - route 92.118.30.0/24 via 92.118.30.0 bfd { - # Virgin Media - preference = 100; - }; route 92.118.30.0/24 via 92.118.30.2 bfd { # EE preference = 10; @@ -211,8 +200,6 @@ in { idle tx interval 1s; multiplier 20; }; - neighbor 92.118.30.0; - neighbor 2a09:a442::1:1; neighbor 92.118.30.2; neighbor 2a09:a442::2:1; neighbor 92.118.30.4; diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index beba1ba04c..baa7f0748e 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -42,7 +42,6 @@ in { networking = { # Routing tables: # bgp (150) -- contains default routes over WG tunnels - # wg-vm (151) -- contains default routes over WG tunnels # wg-ee (152) -- contains default routes over WG tunnels # wg-gnet (153) -- contains default routes over WG tunnels # ee (201) -- table contains a default route via EE @@ -62,10 +61,6 @@ in { { address = "92.118.30.253"; prefixLength = 32; } ]; }; - en-virginmedia = { - useDHCP = true; - macAddress = "e4:3a:6e:16:07:61"; - }; en-gnet = { useDHCP = true; ipv4.addresses = [ @@ -205,23 +200,14 @@ in { in let routeTables = { bgp = 150; - wg-vm = 151; wg-ee = 152; wg-gnet = 153; ee = 201; - vm = 202; gnet = 203; }; in { enable = true; config.routeTables = routeTables; - networks."50-wg-tuvok-vm" = wireguardNetwork { - linkName = "wg-tuvok-vm"; - relativePriority = 2; - rtID = routeTables.wg-vm; - v4Linknet = "92.118.30.0"; - v6Linknet = "2a09:a442::1:1"; - }; networks."50-wg-tuvok-ee" = wireguardNetwork { linkName = "wg-tuvok-ee"; relativePriority = 3; @@ -298,9 +284,6 @@ in { }]) // { linkConfig.RequiredForOnline = "no"; }; - networks."40-en-virginmedia" = (physicalNetwork routeTables.vm "0xbeef" []) // { - linkConfig.RequiredForOnline = "no"; - }; networks."40-en-gnet" = (physicalNetwork routeTables.gnet "0xcafe" []); networks."40-br-internal" = { networkConfig.VLAN = [ "vl-eduroam" ]; @@ -344,12 +327,6 @@ in { publicKey = secrets.wireguard.tuvok-swann.tuvok.publicKey; }); in { - "40-wg-tuvok-vm" = tuvokWireguard { - name = "wg-tuvok-vm"; - listenPort = 51820; - endpoint = "92.118.28.252:51820"; - fwmark = "0xbeef"; - }; "40-wg-tuvok-ee" = tuvokWireguard { name = "wg-tuvok-ee"; listenPort = 51821; @@ -393,7 +370,6 @@ in { services.mstpd.enable = true; my.ip.tailscale = "100.102.224.95"; services.udev.extraRules = '' - ATTR{address}=="e4:3a:6e:16:07:62", DRIVERS=="?*", NAME="en-virginmedia" ATTR{address}=="e4:3a:6e:16:07:63", DRIVERS=="?*", NAME="en-ee" ATTR{address}=="e4:3a:6e:16:07:64", DRIVERS=="?*", NAME="en-gnet" ATTR{address}=="e4:3a:6e:16:07:67", DRIVERS=="?*", NAME="en-int-eth" @@ -403,14 +379,13 @@ in { "net.ipv4.ip_forward" = "1"; "net.ipv6.conf.default.forwarding" = "1"; "net.ipv6.conf.all.forwarding" = "1"; - "net.ipv6.conf.en-virginmedia.accept_ra" = "2"; "net.ipv6.conf.en-ee.accept_ra" = "2"; "net.ipv6.conf.en-gnet.accept_ra" = "2"; }; networking.nat = { enable = true; internalInterfaces = ["br-internal"]; - externalInterface = "en-virginmedia"; + externalInterface = "en-gnet"; extraCommands = '' # Send PS5 RTMP to totoro instead. # See DHCP static lease. @@ -423,7 +398,6 @@ in { iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o en-gnet -j MASQUERADE # SNAT packets we're sending over tunnels. - iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254 iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254 iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.254 @@ -431,11 +405,9 @@ in { # > mark incoming eduroam packets iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2 # > NAT packets going out directly. - iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-gnet -j MASQUERADE # > NAT packets going over tunnels. - iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253 iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253 iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-gnet -j SNAT --to-source 92.118.30.253 ''; @@ -547,11 +519,6 @@ in { 53 # DNS ]; }; - interfaces.en-virginmedia = { - allowedUDPPorts = [ - 51820 - ]; - }; interfaces.en-ee = { allowedUDPPorts = [ 51821 @@ -567,11 +534,6 @@ in { 3784 # BFD ]; }; - interfaces.wg-tuvok-vm = { - allowedUDPPorts = [ - 3784 # BFD - ]; - }; interfaces.wg-tuvok-gnet = { allowedUDPPorts = [ 3784 # BFD @@ -587,7 +549,6 @@ in { ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT - ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-gnet -j ACCEPT ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT '';