swann: configure for eduroam on VLAN 100
This commit is contained in:
parent
f93ec18859
commit
a8718864c1
3 changed files with 94 additions and 9 deletions
|
@ -3,7 +3,7 @@
|
|||
; SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 2 600 450 3600 300
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 3 600 450 3600 300
|
||||
|
||||
$INCLUDE tmpl.ns
|
||||
|
||||
|
@ -260,6 +260,6 @@ $INCLUDE tmpl.ns
|
|||
250 600 IN PTR 92-118-30-250.ptr.as205479.net.
|
||||
251 600 IN PTR 92-118-30-251.ptr.as205479.net.
|
||||
252 600 IN PTR 92-118-30-252.ptr.as205479.net.
|
||||
253 600 IN PTR 92-118-30-253.ptr.as205479.net.
|
||||
253 600 IN PTR eduroam.mldn-rd.as205479.net.
|
||||
254 600 IN PTR mldn-rd.as205479.net.
|
||||
255 600 IN PTR 92-118-30-255.ptr.as205479.net.
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
; SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 33 600 450 3600 300
|
||||
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300
|
||||
|
||||
; NB: this are also glue records in Google Domains.
|
||||
$INCLUDE tmpl.ns
|
||||
|
@ -100,6 +100,8 @@ tuvok.ee-tuvok.mldn-rd 3600 IN A 92.118.30.3
|
|||
tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2
|
||||
mldn-rd 3600 IN A 92.118.30.254
|
||||
mldn-rd 3600 IN AAAA 2a09:a443::1
|
||||
eduroam.mldn-rd 3600 IN A 92.118.30.253
|
||||
eduroam.mldn-rd 3600 IN AAAA 2a09:a443:2::1
|
||||
|
||||
; blade internal
|
||||
blade-oa.blade 3600 IN A 10.100.1.200
|
||||
|
|
|
@ -53,6 +53,7 @@ in {
|
|||
ipv4.addresses = [
|
||||
{ address = "127.0.0.1"; prefixLength = 8; }
|
||||
{ address = "92.118.30.254"; prefixLength = 32; }
|
||||
{ address = "92.118.30.253"; prefixLength = 32; }
|
||||
];
|
||||
};
|
||||
en-virginmedia = {
|
||||
|
@ -79,6 +80,21 @@ in {
|
|||
{ address = "2a09:a443:1::1"; prefixLength = 48; }
|
||||
];
|
||||
};
|
||||
vl-eduroam = {
|
||||
ipv4.addresses = [
|
||||
{ address = "192.168.10.1"; prefixLength = 24; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = "2a09:a443:2::1"; prefixLength = 64; }
|
||||
{ address = "2a09:a443:3::1"; prefixLength = 48; }
|
||||
];
|
||||
};
|
||||
};
|
||||
vlans = {
|
||||
vl-eduroam = {
|
||||
id = 100;
|
||||
interface = "en-general";
|
||||
};
|
||||
};
|
||||
|
||||
dhcpcd.extraConfig = ''
|
||||
|
@ -181,11 +197,21 @@ in {
|
|||
# SNAT packets we're sending over tunnels.
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254
|
||||
|
||||
# eduroam
|
||||
# > mark incoming eduroam packets
|
||||
iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2
|
||||
# > NAT packets going over EE/VM.
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE
|
||||
# > NAT packets going over tunnels.
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253
|
||||
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253
|
||||
'';
|
||||
};
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = ["en-general"];
|
||||
interfaces = ["en-general" "vl-eduroam"];
|
||||
authoritative = true;
|
||||
extraConfig = ''
|
||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||
|
@ -199,6 +225,18 @@ in {
|
|||
|
||||
range 192.168.1.100 192.168.1.200;
|
||||
}
|
||||
|
||||
subnet 192.168.10.0 netmask 255.255.255.0 {
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 192.168.10.1;
|
||||
option domain-name-servers 192.168.10.1;
|
||||
option domain-name "eduroam.as205479.net";
|
||||
default-lease-time 600;
|
||||
max-lease-time 3600;
|
||||
option interface-mtu 1420; # Wireguard
|
||||
|
||||
range 192.168.10.100 192.168.10.200;
|
||||
}
|
||||
'';
|
||||
machines = [
|
||||
{
|
||||
|
@ -294,6 +332,14 @@ in {
|
|||
53 # DNS
|
||||
];
|
||||
};
|
||||
interfaces.vl-eduroam = {
|
||||
allowedTCPPorts = [
|
||||
53 # DNS
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
53 # DNS
|
||||
];
|
||||
};
|
||||
interfaces.wg-tuvok-ee = {
|
||||
allowedUDPPorts = [
|
||||
3784 # BFD
|
||||
|
@ -305,8 +351,17 @@ in {
|
|||
];
|
||||
};
|
||||
extraCommands = ''
|
||||
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||
ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||
ip46tables -F FORWARD
|
||||
|
||||
ip46tables -N ts-forward || true
|
||||
ip46tables -A FORWARD -j ts-forward
|
||||
|
||||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||
|
||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
|
||||
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT
|
||||
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -357,13 +412,13 @@ in {
|
|||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
bind 192.168.1.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1
|
||||
bind 192.168.1.1 192.168.10.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 2a09:a443:2::1 2a09:a443:3::1
|
||||
acl {
|
||||
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32
|
||||
block
|
||||
}
|
||||
hosts /dev/null {
|
||||
216.239.38.120 stadia.google.com stadia.com
|
||||
#216.239.38.120 stadia.google.com stadia.com
|
||||
fallthrough
|
||||
}
|
||||
loadbalance
|
||||
|
@ -460,6 +515,9 @@ in {
|
|||
|
||||
# Covering route...
|
||||
route 2a09:a443::/64 via "en-general";
|
||||
route 2a09:a443:1::/48 via "en-general";
|
||||
route 2a09:a443:2::/64 via "vl-eduroam";
|
||||
route 2a09:a443:3::/48 via "vl-eduroam";
|
||||
route 2a09:a443::/32 unreachable;
|
||||
};
|
||||
|
||||
|
@ -498,11 +556,28 @@ in {
|
|||
AdvAutonomous off;
|
||||
};
|
||||
};
|
||||
interface vl-eduroam {
|
||||
AdvSendAdvert on;
|
||||
AdvLinkMTU 1420; # Wireguard
|
||||
AdvManagedFlag on;
|
||||
|
||||
RDNSS 2a09:a443:2::1 {};
|
||||
DNSSL eduroam.as205479.net {};
|
||||
|
||||
prefix 2a09:a443:2::/64 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous on;
|
||||
};
|
||||
prefix 2a09:a443:3::/48 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous off;
|
||||
};
|
||||
};
|
||||
'';
|
||||
};
|
||||
services.dhcpd6 = {
|
||||
enable = true;
|
||||
interfaces = ["en-general"];
|
||||
interfaces = ["en-general" "vl-eduroam"];
|
||||
authoritative = true;
|
||||
extraConfig = ''
|
||||
subnet6 2a09:a443:1::/48 {
|
||||
|
@ -513,6 +588,14 @@ in {
|
|||
option dhcp6.name-servers 2a09:a443:1::1;
|
||||
option dhcp6.domain-search "house.as205479.net";
|
||||
}
|
||||
subnet6 2a09:a443:3::/48 {
|
||||
range6 2a09:a443:3:1::/64;
|
||||
range6 2a09:a443:3:2::/64 temporary;
|
||||
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ffff:: /56;
|
||||
|
||||
option dhcp6.name-servers 2a09:a443:3::1;
|
||||
option dhcp6.domain-search "eduroam.as205479.net";
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue