From 085a4805d7768f4e1f92bea507a54cf470bb425c Mon Sep 17 00:00:00 2001 From: Mathias Magnusson Date: Sun, 26 Oct 2025 13:28:03 +0100 Subject: wip: vlans --- router.nix | 87 +++++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 26 deletions(-) (limited to 'router.nix') diff --git a/router.nix b/router.nix index 03f41fc..b8942e7 100644 --- a/router.nix +++ b/router.nix @@ -11,11 +11,21 @@ 53 67 ]; + extraForwardRules = '' + iifname "ethlan" oifname "wlan-staff" accept + iifname "ethlan" oifname "wlan-guest" accept + + iifname "wlan-staff" oifname "ethlan" accept + iifname "wlan-staff" oifname "wlan-guest" accept + + iifname "wlan-guest" oifname "ethlan" accept + iifname "wlan-guest" oifname "wlan-staff" accept + ''; }; nat = { enable = true; externalInterface = "wan"; - internalInterfaces = [ "lanbr" ]; + internalInterfaces = [ "ethlan" "wlan-staff" "wlan-guest" ]; forwardPorts = [ { sourcePort = 51801; @@ -53,38 +63,51 @@ linkConfig.RequiredForOnline = "routable"; }; - netdevs."10-lanbr".netdevConfig = { - Kind = "bridge"; - Name = "lanbr"; - }; - networks."10-lanbr" = { - matchConfig.Name = "lanbr"; - bridgeConfig = { }; - networkConfig = { - IPMasquerade = "ipv4"; - Address = "10.69.0.1/16"; - }; - linkConfig.RequiredForOnline = "routable"; - }; - links."10-ethlan" = { matchConfig.Path = "pci-0000:05:00.0-usb-0:2:1.0"; linkConfig.Name = "ethlan"; }; networks."10-ethlan" = { matchConfig.Name = "ethlan"; - networkConfig.Bridge = "lanbr"; - linkConfig.RequiredForOnline = "enslaved"; + networkConfig.Address = "10.69.0.1/24"; + linkConfig.RequiredForOnline = "routable"; }; links."10-wlan" = { matchConfig.Path = "pci-0000:09:00.0"; linkConfig.Name = "wlan"; }; - networks."10-wlan" = { + networks."20-wlan" = { matchConfig.Name = "wlan"; - networkConfig.Bridge = "lanbr"; - linkConfig.RequiredForOnline = "enslaved"; + vlan = [ "wlan-staff" "wlan-guest" ]; + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + }; + + netdevs."10-vlan-staff" = { + netdevConfig = { + Kind = "vlan"; + Name = "wlan-staff"; + }; + vlanConfig.Id = 10; + }; + networks."30-vlan-staff" = { + matchConfig.Name = "wlan-staff"; + networkConfig.Address = "10.69.1.1/24"; + linkConfig.RequiredForOnline = "routable"; + }; + + netdevs."10-vlan-guest" = { + netdevConfig = { + Kind = "vlan"; + Name = "wlan-guest"; + }; + vlanConfig.Id = 20; + }; + networks."30-vlan-guest" = { + matchConfig.Name = "wlan-guest"; + networkConfig.Address = "10.69.2.1/24"; + linkConfig.RequiredForOnline = "routable"; }; }; services.resolved.enable = false; @@ -119,7 +142,8 @@ authentication = { mode = "wpa3-sae"; saePasswords = [ - { passwordFile = config.age.secrets."wifi-password.txt".path; } + { passwordFile = config.age.secrets."wifi-password-staff.txt".path; vlanid = 10; } + { passwordFile = config.age.secrets."wifi-password-guest.txt".path; vlanid = 20; } ]; }; }; @@ -141,11 +165,21 @@ "1.0.0.1" ]; - interface = "lanbr"; - dhcp-range = "10.69.0.50,10.69.0.254,255.255.0.0,1h"; + except-interface = "wan"; + dhcp-range = [ + "ethlan,10.69.0.50,10.69.0.254,255.255.255.0,1h" + "wlan-staff,10.69.1.2,10.69.1.254,255.255.255.0,1h" + "wlan-guest,10.69.2.2,10.69.2.254,255.255.255.0,1h" + ]; dhcp-option = [ - "option:router,10.69.0.1" - "option:dns-server,10.69.0.1" + "ethlan,option:router,10.69.0.1" + "ethlan,option:dns-server,10.69.0.1" + + "wlan-staff,option:router,10.69.1.1" + "wlan-staff,option:dns-server,10.69.1.1" + + "wlan-guest,option:router,10.69.2.1" + "wlan-guest,option:dns-server,10.69.2.1" ]; dhcp-authoritative = true; @@ -160,6 +194,7 @@ }; oden.persist.directories = [ "/var/lib/dnsmasq" ]; - age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age; + age.secrets."wifi-password-staff.txt".file = ./secrets/wifi-password-staff.txt.age; + age.secrets."wifi-password-guest.txt".file = ./secrets/wifi-password-guest.txt.age; age.secrets."dyndns-url.txt".file = ./secrets/dyndns-url.txt.age; } -- cgit v1.2.3