diff --git a/ops/nixos/lib/coredns/zones/db.30.118.92.in-addr.arpa b/ops/nixos/lib/coredns/zones/db.30.118.92.in-addr.arpa index ded5b2df67..d00d714791 100644 --- a/ops/nixos/lib/coredns/zones/db.30.118.92.in-addr.arpa +++ b/ops/nixos/lib/coredns/zones/db.30.118.92.in-addr.arpa @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 2 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 3 600 450 3600 300 $INCLUDE tmpl.ns @@ -260,6 +260,6 @@ $INCLUDE tmpl.ns 250 600 IN PTR 92-118-30-250.ptr.as205479.net. 251 600 IN PTR 92-118-30-251.ptr.as205479.net. 252 600 IN PTR 92-118-30-252.ptr.as205479.net. -253 600 IN PTR 92-118-30-253.ptr.as205479.net. +253 600 IN PTR eduroam.mldn-rd.as205479.net. 254 600 IN PTR mldn-rd.as205479.net. 255 600 IN PTR 92-118-30-255.ptr.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index b6b0d71cf5..6f98cf73d9 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 33 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -100,6 +100,8 @@ tuvok.ee-tuvok.mldn-rd 3600 IN A 92.118.30.3 tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2 mldn-rd 3600 IN A 92.118.30.254 mldn-rd 3600 IN AAAA 2a09:a443::1 +eduroam.mldn-rd 3600 IN A 92.118.30.253 +eduroam.mldn-rd 3600 IN AAAA 2a09:a443:2::1 ; blade internal blade-oa.blade 3600 IN A 10.100.1.200 diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix index cb709d5ead..31cb490ec0 100644 --- a/ops/nixos/swann/default.nix +++ b/ops/nixos/swann/default.nix @@ -53,6 +53,7 @@ in { ipv4.addresses = [ { address = "127.0.0.1"; prefixLength = 8; } { address = "92.118.30.254"; prefixLength = 32; } + { address = "92.118.30.253"; prefixLength = 32; } ]; }; en-virginmedia = { @@ -79,6 +80,21 @@ in { { address = "2a09:a443:1::1"; prefixLength = 48; } ]; }; + vl-eduroam = { + ipv4.addresses = [ + { address = "192.168.10.1"; prefixLength = 24; } + ]; + ipv6.addresses = [ + { address = "2a09:a443:2::1"; prefixLength = 64; } + { address = "2a09:a443:3::1"; prefixLength = 48; } + ]; + }; + }; + vlans = { + vl-eduroam = { + id = 100; + interface = "en-general"; + }; }; dhcpcd.extraConfig = '' @@ -181,11 +197,21 @@ in { # SNAT packets we're sending over tunnels. iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254 iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254 + + # eduroam + # > mark incoming eduroam packets + iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2 + # > NAT packets going over EE/VM. + iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE + iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE + # > NAT packets going over tunnels. + iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253 + iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253 ''; }; services.dhcpd4 = { enable = true; - interfaces = ["en-general"]; + interfaces = ["en-general" "vl-eduroam"]; authoritative = true; extraConfig = '' subnet 192.168.1.0 netmask 255.255.255.0 { @@ -199,6 +225,18 @@ in { range 192.168.1.100 192.168.1.200; } + + subnet 192.168.10.0 netmask 255.255.255.0 { + option subnet-mask 255.255.255.0; + option routers 192.168.10.1; + option domain-name-servers 192.168.10.1; + option domain-name "eduroam.as205479.net"; + default-lease-time 600; + max-lease-time 3600; + option interface-mtu 1420; # Wireguard + + range 192.168.10.100 192.168.10.200; + } ''; machines = [ { @@ -294,6 +332,14 @@ in { 53 # DNS ]; }; + interfaces.vl-eduroam = { + allowedTCPPorts = [ + 53 # DNS + ]; + allowedUDPPorts = [ + 53 # DNS + ]; + }; interfaces.wg-tuvok-ee = { allowedUDPPorts = [ 3784 # BFD @@ -305,8 +351,17 @@ in { ]; }; extraCommands = '' - iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 - ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 + ip46tables -F FORWARD + + ip46tables -N ts-forward || true + ip46tables -A FORWARD -j ts-forward + + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 + ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 + + ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT + ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT + ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT ''; }; @@ -357,13 +412,13 @@ in { enable = true; config = '' .:53 { - bind 192.168.1.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 + bind 192.168.1.1 192.168.10.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 2a09:a443:2::1 2a09:a443:3::1 acl { allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32 block } hosts /dev/null { - 216.239.38.120 stadia.google.com stadia.com + #216.239.38.120 stadia.google.com stadia.com fallthrough } loadbalance @@ -460,6 +515,9 @@ in { # Covering route... route 2a09:a443::/64 via "en-general"; + route 2a09:a443:1::/48 via "en-general"; + route 2a09:a443:2::/64 via "vl-eduroam"; + route 2a09:a443:3::/48 via "vl-eduroam"; route 2a09:a443::/32 unreachable; }; @@ -498,11 +556,28 @@ in { AdvAutonomous off; }; }; + interface vl-eduroam { + AdvSendAdvert on; + AdvLinkMTU 1420; # Wireguard + AdvManagedFlag on; + + RDNSS 2a09:a443:2::1 {}; + DNSSL eduroam.as205479.net {}; + + prefix 2a09:a443:2::/64 { + AdvOnLink on; + AdvAutonomous on; + }; + prefix 2a09:a443:3::/48 { + AdvOnLink on; + AdvAutonomous off; + }; + }; ''; }; services.dhcpd6 = { enable = true; - interfaces = ["en-general"]; + interfaces = ["en-general" "vl-eduroam"]; authoritative = true; extraConfig = '' subnet6 2a09:a443:1::/48 { @@ -513,6 +588,14 @@ in { option dhcp6.name-servers 2a09:a443:1::1; option dhcp6.domain-search "house.as205479.net"; } + subnet6 2a09:a443:3::/48 { + range6 2a09:a443:3:1::/64; + range6 2a09:a443:3:2::/64 temporary; + prefix6 2a09:a443:3:1000:: 2a09:a443:3:ffff:: /56; + + option dhcp6.name-servers 2a09:a443:3::1; + option dhcp6.domain-search "eduroam.as205479.net"; + } ''; };