4 files changed, 74 insertions, 27 deletions

diff --git a/router.nix b/router.nix
index 03f41fc..b8942e7 100644
--- a/router.nix
+++ b/router.nix
@@ -11,11 +11,21 @@
         53
         67
       ];
+      extraForwardRules = ''
+        iifname "ethlan"     oifname "wlan-staff" accept
+        iifname "ethlan"     oifname "wlan-guest" accept
+
+        iifname "wlan-staff" oifname "ethlan"     accept
+        iifname "wlan-staff" oifname "wlan-guest" accept
+
+        iifname "wlan-guest" oifname "ethlan"     accept
+        iifname "wlan-guest" oifname "wlan-staff" accept
+      '';
     };
     nat = {
       enable = true;
       externalInterface = "wan";
-      internalInterfaces = [ "lanbr" ];
+      internalInterfaces = [ "ethlan" "wlan-staff" "wlan-guest" ];
       forwardPorts = [
         {
           sourcePort = 51801;
@@ -53,38 +63,51 @@
       linkConfig.RequiredForOnline = "routable";
     };
 
-    netdevs."10-lanbr".netdevConfig = {
-      Kind = "bridge";
-      Name = "lanbr";
-    };
-    networks."10-lanbr" = {
-      matchConfig.Name = "lanbr";
-      bridgeConfig = { };
-      networkConfig = {
-        IPMasquerade = "ipv4";
-        Address = "10.69.0.1/16";
-      };
-      linkConfig.RequiredForOnline = "routable";
-    };
-
     links."10-ethlan" = {
       matchConfig.Path = "pci-0000:05:00.0-usb-0:2:1.0";
       linkConfig.Name = "ethlan";
     };
     networks."10-ethlan" = {
       matchConfig.Name = "ethlan";
-      networkConfig.Bridge = "lanbr";
-      linkConfig.RequiredForOnline = "enslaved";
+      networkConfig.Address = "10.69.0.1/24";
+      linkConfig.RequiredForOnline = "routable";
     };
 
     links."10-wlan" = {
       matchConfig.Path = "pci-0000:09:00.0";
       linkConfig.Name = "wlan";
     };
-    networks."10-wlan" = {
+    networks."20-wlan" = {
       matchConfig.Name = "wlan";
-      networkConfig.Bridge = "lanbr";
-      linkConfig.RequiredForOnline = "enslaved";
+      vlan = [ "wlan-staff" "wlan-guest" ];
+      networkConfig.LinkLocalAddressing = "no";
+      linkConfig.RequiredForOnline = "carrier";
+    };
+
+    netdevs."10-vlan-staff" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "wlan-staff";
+      };
+      vlanConfig.Id = 10;
+    };
+    networks."30-vlan-staff" = {
+      matchConfig.Name = "wlan-staff";
+      networkConfig.Address = "10.69.1.1/24";
+      linkConfig.RequiredForOnline = "routable";
+    };
+
+    netdevs."10-vlan-guest" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "wlan-guest";
+      };
+      vlanConfig.Id = 20;
+    };
+    networks."30-vlan-guest" = {
+      matchConfig.Name = "wlan-guest";
+      networkConfig.Address = "10.69.2.1/24";
+      linkConfig.RequiredForOnline = "routable";
     };
   };
   services.resolved.enable = false;
@@ -119,7 +142,8 @@
         authentication = {
           mode = "wpa3-sae";
           saePasswords = [
-            { passwordFile = config.age.secrets."wifi-password.txt".path; }
+            { passwordFile = config.age.secrets."wifi-password-staff.txt".path; vlanid = 10; }
+            { passwordFile = config.age.secrets."wifi-password-guest.txt".path; vlanid = 20; }
           ];
         };
       };
@@ -141,11 +165,21 @@
         "1.0.0.1"
       ];
 
-      interface = "lanbr";
-      dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h";
+      except-interface = "wan";
+      dhcp-range = [
+        "ethlan,10.69.0.50,10.69.0.254,255.255.255.0,1h"
+        "wlan-staff,10.69.1.2,10.69.1.254,255.255.255.0,1h"
+        "wlan-guest,10.69.2.2,10.69.2.254,255.255.255.0,1h"
+      ];
       dhcp-option = [
-        "option:router,10.69.0.1"
-        "option:dns-server,10.69.0.1"
+        "ethlan,option:router,10.69.0.1"
+        "ethlan,option:dns-server,10.69.0.1"
+
+        "wlan-staff,option:router,10.69.1.1"
+        "wlan-staff,option:dns-server,10.69.1.1"
+
+        "wlan-guest,option:router,10.69.2.1"
+        "wlan-guest,option:dns-server,10.69.2.1"
       ];
       dhcp-authoritative = true;
 
@@ -160,6 +194,7 @@
   };
   oden.persist.directories = [ "/var/lib/dnsmasq" ];
 
-  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
+  age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age;
+  age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age;
   age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age;
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0125da8..be661f8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,7 +7,8 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF" # ymer
   ];
   files = [
-    "wifi-password.txt.age"
+    "wifi-password-staff.txt.age"
+    "wifi-password-guest.txt.age"
     "password-hash.txt.age"
     "dyndns-url.txt.age"
   ];
diff --git a/secrets/wifi-password-guest.txt.age b/secrets/wifi-password-guest.txt.age
new file mode 100644
index 0000000..4396abe
--- /dev/null
+++ b/secrets/wifi-password-guest.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA msdDPOThxoyWJRmo/bglWm2nzYOpi5NNF3Klj7lKxQA
+dPwPPcj6miYcIvKWB+EInfRQcV6rIRbeGYIDu/8hgeI
+-> piv-p256 Ddzw4A AjgyIJrJeopGKXqr3zarCKIK3cebSsEQu4Fp474eXmW7
++nnfFvB1KNdyntxq0iHuyjRa219CfnDNoDUO+nnfLbg
+-> piv-p256 9aSbLw Ah9pJvMr5tQj8l1+p9O+pGJVpEvomsnKQudp+NvA11QI
+23h+az85MVXrKNT2ufdLDpiCmb9IWpp6oL5YgtD8ti0
+-> ssh-ed25519 YS7/yg oIQkL1BRoTBzp5XPVFxIRhRD/LX2RIPxZodMiBF7dBc
+23FyGh6NfFqLTxxAuNW+Nc6NCIMJMkXxqTC7PkQjEio
+--- xOXMGYxRuRpoqbUBNk6/zhCjTKptV44bWW3MDQLG6IU
+�kS�M�M��9�T���1���/֐�u��+OlΉ|;�;+��m8.���Uc���;���N�Ƕ��W��
\ No newline at end of file
diff --git a/secrets/wifi-password.txt.age b/secrets/wifi-password-staff.txt.age
index 97874ac..97874ac 100644
--- a/secrets/wifi-password.txt.age
+++ b/secrets/wifi-password-staff.txt.age