swann: configure for eduroam on VLAN 100

This commit is contained in:
Luke Granger-Brown 2021-09-25 17:38:21 +00:00
parent f93ec18859
commit a8718864c1
3 changed files with 94 additions and 9 deletions

View file

@ -3,7 +3,7 @@
; SPDX-License-Identifier: Apache-2.0 ; SPDX-License-Identifier: Apache-2.0
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 2 600 450 3600 300 @ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 3 600 450 3600 300
$INCLUDE tmpl.ns $INCLUDE tmpl.ns
@ -260,6 +260,6 @@ $INCLUDE tmpl.ns
250 600 IN PTR 92-118-30-250.ptr.as205479.net. 250 600 IN PTR 92-118-30-250.ptr.as205479.net.
251 600 IN PTR 92-118-30-251.ptr.as205479.net. 251 600 IN PTR 92-118-30-251.ptr.as205479.net.
252 600 IN PTR 92-118-30-252.ptr.as205479.net. 252 600 IN PTR 92-118-30-252.ptr.as205479.net.
253 600 IN PTR 92-118-30-253.ptr.as205479.net. 253 600 IN PTR eduroam.mldn-rd.as205479.net.
254 600 IN PTR mldn-rd.as205479.net. 254 600 IN PTR mldn-rd.as205479.net.
255 600 IN PTR 92-118-30-255.ptr.as205479.net. 255 600 IN PTR 92-118-30-255.ptr.as205479.net.

View file

@ -3,7 +3,7 @@
; SPDX-License-Identifier: Apache-2.0 ; SPDX-License-Identifier: Apache-2.0
; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL
@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 33 600 450 3600 300 @ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 34 600 450 3600 300
; NB: this are also glue records in Google Domains. ; NB: this are also glue records in Google Domains.
$INCLUDE tmpl.ns $INCLUDE tmpl.ns
@ -100,6 +100,8 @@ tuvok.ee-tuvok.mldn-rd 3600 IN A 92.118.30.3
tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2 tuvok.ee-tuvok.mldn-rd 3600 IN AAAA 2a09:a442::2:2
mldn-rd 3600 IN A 92.118.30.254 mldn-rd 3600 IN A 92.118.30.254
mldn-rd 3600 IN AAAA 2a09:a443::1 mldn-rd 3600 IN AAAA 2a09:a443::1
eduroam.mldn-rd 3600 IN A 92.118.30.253
eduroam.mldn-rd 3600 IN AAAA 2a09:a443:2::1
; blade internal ; blade internal
blade-oa.blade 3600 IN A 10.100.1.200 blade-oa.blade 3600 IN A 10.100.1.200

View file

@ -53,6 +53,7 @@ in {
ipv4.addresses = [ ipv4.addresses = [
{ address = "127.0.0.1"; prefixLength = 8; } { address = "127.0.0.1"; prefixLength = 8; }
{ address = "92.118.30.254"; prefixLength = 32; } { address = "92.118.30.254"; prefixLength = 32; }
{ address = "92.118.30.253"; prefixLength = 32; }
]; ];
}; };
en-virginmedia = { en-virginmedia = {
@ -79,6 +80,21 @@ in {
{ address = "2a09:a443:1::1"; prefixLength = 48; } { address = "2a09:a443:1::1"; prefixLength = 48; }
]; ];
}; };
vl-eduroam = {
ipv4.addresses = [
{ address = "192.168.10.1"; prefixLength = 24; }
];
ipv6.addresses = [
{ address = "2a09:a443:2::1"; prefixLength = 64; }
{ address = "2a09:a443:3::1"; prefixLength = 48; }
];
};
};
vlans = {
vl-eduroam = {
id = 100;
interface = "en-general";
};
}; };
dhcpcd.extraConfig = '' dhcpcd.extraConfig = ''
@ -181,11 +197,21 @@ in {
# SNAT packets we're sending over tunnels. # SNAT packets we're sending over tunnels.
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254 iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.254
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254 iptables -w -t nat -A nixos-nat-post -m mark --mark 1 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.254
# eduroam
# > mark incoming eduroam packets
iptables -w -t nat -A nixos-nat-pre -i vl-eduroam -j MARK --set-mark 2
# > NAT packets going over EE/VM.
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-virginmedia -j MASQUERADE
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o en-ee -j MASQUERADE
# > NAT packets going over tunnels.
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-vm -j SNAT --to-source 92.118.30.253
iptables -w -t nat -A nixos-nat-post -m mark --mark 2 -o wg-tuvok-ee -j SNAT --to-source 92.118.30.253
''; '';
}; };
services.dhcpd4 = { services.dhcpd4 = {
enable = true; enable = true;
interfaces = ["en-general"]; interfaces = ["en-general" "vl-eduroam"];
authoritative = true; authoritative = true;
extraConfig = '' extraConfig = ''
subnet 192.168.1.0 netmask 255.255.255.0 { subnet 192.168.1.0 netmask 255.255.255.0 {
@ -199,6 +225,18 @@ in {
range 192.168.1.100 192.168.1.200; range 192.168.1.100 192.168.1.200;
} }
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option routers 192.168.10.1;
option domain-name-servers 192.168.10.1;
option domain-name "eduroam.as205479.net";
default-lease-time 600;
max-lease-time 3600;
option interface-mtu 1420; # Wireguard
range 192.168.10.100 192.168.10.200;
}
''; '';
machines = [ machines = [
{ {
@ -294,6 +332,14 @@ in {
53 # DNS 53 # DNS
]; ];
}; };
interfaces.vl-eduroam = {
allowedTCPPorts = [
53 # DNS
];
allowedUDPPorts = [
53 # DNS
];
};
interfaces.wg-tuvok-ee = { interfaces.wg-tuvok-ee = {
allowedUDPPorts = [ allowedUDPPorts = [
3784 # BFD 3784 # BFD
@ -305,8 +351,17 @@ in {
]; ];
}; };
extraCommands = '' extraCommands = ''
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip46tables -F FORWARD
ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip46tables -N ts-forward || true
ip46tables -A FORWARD -j ts-forward
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-ee -j ACCEPT
ip46tables -A FORWARD -i vl-eduroam -o wg-tuvok-vm -j ACCEPT
ip46tables -A FORWARD -i vl-eduroam -m state --state NEW,RELATED -j REJECT
''; '';
}; };
@ -357,13 +412,13 @@ in {
enable = true; enable = true;
config = '' config = ''
.:53 { .:53 {
bind 192.168.1.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 bind 192.168.1.1 192.168.10.1 127.0.0.53 2a09:a443::1 2a09:a443:1::1 2a09:a443:2::1 2a09:a443:3::1
acl { acl {
allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32 allow net 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 100.64.0.0/10 2a09:a443::/32
block block
} }
hosts /dev/null { hosts /dev/null {
216.239.38.120 stadia.google.com stadia.com #216.239.38.120 stadia.google.com stadia.com
fallthrough fallthrough
} }
loadbalance loadbalance
@ -460,6 +515,9 @@ in {
# Covering route... # Covering route...
route 2a09:a443::/64 via "en-general"; route 2a09:a443::/64 via "en-general";
route 2a09:a443:1::/48 via "en-general";
route 2a09:a443:2::/64 via "vl-eduroam";
route 2a09:a443:3::/48 via "vl-eduroam";
route 2a09:a443::/32 unreachable; route 2a09:a443::/32 unreachable;
}; };
@ -498,11 +556,28 @@ in {
AdvAutonomous off; AdvAutonomous off;
}; };
}; };
interface vl-eduroam {
AdvSendAdvert on;
AdvLinkMTU 1420; # Wireguard
AdvManagedFlag on;
RDNSS 2a09:a443:2::1 {};
DNSSL eduroam.as205479.net {};
prefix 2a09:a443:2::/64 {
AdvOnLink on;
AdvAutonomous on;
};
prefix 2a09:a443:3::/48 {
AdvOnLink on;
AdvAutonomous off;
};
};
''; '';
}; };
services.dhcpd6 = { services.dhcpd6 = {
enable = true; enable = true;
interfaces = ["en-general"]; interfaces = ["en-general" "vl-eduroam"];
authoritative = true; authoritative = true;
extraConfig = '' extraConfig = ''
subnet6 2a09:a443:1::/48 { subnet6 2a09:a443:1::/48 {
@ -513,6 +588,14 @@ in {
option dhcp6.name-servers 2a09:a443:1::1; option dhcp6.name-servers 2a09:a443:1::1;
option dhcp6.domain-search "house.as205479.net"; option dhcp6.domain-search "house.as205479.net";
} }
subnet6 2a09:a443:3::/48 {
range6 2a09:a443:3:1::/64;
range6 2a09:a443:3:2::/64 temporary;
prefix6 2a09:a443:3:1000:: 2a09:a443:3:ffff:: /56;
option dhcp6.name-servers 2a09:a443:3::1;
option dhcp6.domain-search "eduroam.as205479.net";
}
''; '';
}; };