diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 141298b..9dec1e7 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -114,8 +114,41 @@ ]; }; + ################# + # ROUTING RULES # + ################# + + # 0: from all lookup local + # 60: from all iif lo dport 25 lookup vpn + # 4000: from all fwmark 0x1 lookup fiber + # 5000: from all fwmark 0x2 lookup lte + # 6000: from all fwmark 0x3 lookup vpn + # 32766: from all lookup main + # 32767: from all lookup default + # 40000: from all lookup fiber + # 50000: from all lookup lte + + # TODO + + ################## + # iptables rules # + ################## + + # # Restore the packet's CONNMARK to the MARK. + # iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark + # # If packet MARK is set, then it means that there is already a connection mark + # iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT + # # Else, we need to mark the packet. If the packet is incoming on bouygues then set MARK to 1 + # iptables -A PREROUTING -t mangle -i bouygues -j MARK --set-mark 1 + # iptables -A PREROUTING -t mangle -i enp0s21u1 -j MARK --set-mark 2 + # iptables -A PREROUTING -t mangle -i wg0 -j MARK --set-mark 3 + # # Save MARK to CONNMARK. + # iptables -A PREROUTING -t mangle -j CONNMARK --save-mark + systemd.network = let routeTables = { + fiber = 1; + lte = 2; vpn = 3; }; in { @@ -164,14 +197,17 @@ # Set route metric to highest priority # Set DHCP client magic settings for Bouygues "40-bouygues" = { - dhcpV4Config.RouteMetric = 1; + dhcpV4Config.RouteTable = routeTables.fiber; dhcpV6Config = { DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68"; WithoutRA = "solicit"; }; - ipv6AcceptRAConfig.DHCPv6Client = true; + ipv6AcceptRAConfig = { + DHCPv6Client = true; + RouteTable = routeTables.fiber; + }; networkConfig = { KeepConfiguration = "dhcp-on-stop"; @@ -181,6 +217,25 @@ # Static attribution of first IPv6 subnet dhcpPrefixDelegationConfig.SubnetId = "0"; + + # Route everything to fiber link with a priority of 40000 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + FirewallMark = 1; + Table = routeTables.fiber; + Priority = 4000; + Family = "both"; + }; + } + { + routingPolicyRuleConfig = { + Table = routeTables.fiber; + Priority = 40000; + Family = "both"; + }; + } + ]; }; # Don't check VLAN physical interface as it is not directly used @@ -191,7 +246,28 @@ ####### # Set LTE route to lower priority - "40-enp0s21u1".dhcpV4Config.RouteMetric = 1024; + "40-enp0s21u1" = { + dhcpV4Config.RouteTable = routeTables.lte; + + # Route all to lte link with a priority of 50000 + routingPolicyRules = [ + { + routingPolicyRuleConfig = { + FirewallMark = 2; + Table = routeTables.lte; + Priority = 5000; + Family = "both"; + }; + } + { + routingPolicyRuleConfig = { + Table = routeTables.lte; + Priority = 50000; + Family = "both"; + }; + } + ]; + }; ####### # VPN # @@ -214,7 +290,7 @@ IncomingInterface = "lo"; DestinationPort = "25"; Table = routeTables.vpn; - Priority = 50; + Priority = 60; Family = "both"; }; } @@ -222,16 +298,10 @@ # Allow server to respond on the wg0 interface requests { routingPolicyRuleConfig = { - From = vpnIPv4; + FirewallMark = 3; Table = routeTables.vpn; - Priority = 49; - }; - } - { - routingPolicyRuleConfig = { - From = vpnIPv6; - Table = routeTables.vpn; - Priority = 49; + Priority = 6000; + Family = "both"; }; } ];