freifunk: add upstreams through separate table
This commit is contained in:
parent
3391956bbf
commit
1c3f457850
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (zentralwerk.lib.config.site.net) core;
|
inherit (zentralwerk.lib.config.site.net) core;
|
||||||
coreAddress = core.hosts4.${config.networking.hostName};
|
inherit (config.networking) hostName;
|
||||||
|
coreAddress = core.hosts4.${hostName};
|
||||||
meshInterface = "bmx";
|
meshInterface = "bmx";
|
||||||
meshLoopback = "bmx_prime";
|
meshLoopback = "bmx_prime";
|
||||||
ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
|
ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php";
|
||||||
|
@ -13,6 +14,10 @@ let
|
||||||
rt_table_nets = rt_table_hosts + 1;
|
rt_table_nets = rt_table_hosts + 1;
|
||||||
rt_table_tuns = rt_table_hosts + 2;
|
rt_table_tuns = rt_table_hosts + 2;
|
||||||
sysinfo-json = import ./sysinfo-json.nix { inherit pkgs ddmeshNode; };
|
sysinfo-json = import ./sysinfo-json.nix { inherit pkgs ddmeshNode; };
|
||||||
|
|
||||||
|
upstreams = [ "upstream4" "upstream3" "upstream1" ];
|
||||||
|
upstreamMark = 3;
|
||||||
|
rt_table_upstream = 100;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
"${modulesPath}/profiles/minimal.nix"
|
"${modulesPath}/profiles/minimal.nix"
|
||||||
|
@ -61,6 +66,7 @@ in {
|
||||||
networking.iproute2 = {
|
networking.iproute2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
rttablesExtraConfig = ''
|
rttablesExtraConfig = ''
|
||||||
|
${toString rt_table_upstream} upstream
|
||||||
${toString rt_table_hosts} bmx_hosts
|
${toString rt_table_hosts} bmx_hosts
|
||||||
${toString rt_table_nets} bmx_nets
|
${toString rt_table_nets} bmx_nets
|
||||||
${toString rt_table_tuns} bmx_tuns
|
${toString rt_table_tuns} bmx_tuns
|
||||||
|
@ -105,21 +111,35 @@ in {
|
||||||
};
|
};
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
"12-vpn6" = {
|
||||||
|
enable = true;
|
||||||
|
matchConfig.Name = "vpn6";
|
||||||
|
addresses = [{
|
||||||
|
addressConfig = {
|
||||||
|
Address = "10.203.${ddmeshAddrPart}/16";
|
||||||
|
Broadcast = "10.203.255.255";
|
||||||
|
};
|
||||||
|
}];
|
||||||
|
};
|
||||||
# ZW
|
# ZW
|
||||||
"20-core" = {
|
"20-core" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
matchConfig = { Name = "core"; };
|
matchConfig = { Name = "core"; };
|
||||||
addresses = map (Address: { addressConfig = { inherit Address; }; }) [
|
addresses = map (Address: { addressConfig = { inherit Address; }; }) (
|
||||||
|
[
|
||||||
"${coreAddress}/${toString core.subnet4Len}"
|
"${coreAddress}/${toString core.subnet4Len}"
|
||||||
"2a00:8180:2c00:281:8000::1/64"
|
] ++
|
||||||
"fd23:42:c3d2:581:8000::1/64"
|
map (hosts6: "${hosts6.${hostName}}/64") (
|
||||||
];
|
builtins.attrValues core.hosts6
|
||||||
# routes = map (Gateway: { routeConfig = { inherit Gateway; }; }) [
|
)
|
||||||
# # upstream1
|
);
|
||||||
# "2a00:8180:2c00:281::b:0"
|
routingPolicyRules = [ {
|
||||||
# # anon1
|
# Marked wireguard packets take the upstream routing table
|
||||||
# "172.20.72.7"
|
routingPolicyRuleConfig = {
|
||||||
# ];
|
Table = rt_table_upstream;
|
||||||
|
FirewallMark = upstreamMark;
|
||||||
|
};
|
||||||
|
} ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -187,6 +207,17 @@ in {
|
||||||
export all;
|
export all;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
# BIRD routing table for Wireguard transport
|
||||||
|
ipv4 table upstream4_table;
|
||||||
|
|
||||||
|
# Kernel routing table for Wireguard transport
|
||||||
|
protocol kernel upstream4 {
|
||||||
|
kernel table ${toString rt_table_upstream};
|
||||||
|
ipv4 {
|
||||||
|
export all;
|
||||||
|
table upstream4_table;
|
||||||
|
};
|
||||||
|
}
|
||||||
protocol kernel K6 {
|
protocol kernel K6 {
|
||||||
ipv6 {
|
ipv6 {
|
||||||
export all;
|
export all;
|
||||||
|
@ -225,6 +256,8 @@ in {
|
||||||
area 0 {
|
area 0 {
|
||||||
stubnet 10.200.0.0/15;
|
stubnet 10.200.0.0/15;
|
||||||
interface "core" {
|
interface "core" {
|
||||||
|
hello 10;
|
||||||
|
wait 20;
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
||||||
};
|
};
|
||||||
|
@ -236,7 +269,9 @@ in {
|
||||||
export where net = 0.0.0.0/0;
|
export where net = 0.0.0.0/0;
|
||||||
};
|
};
|
||||||
area 0 {
|
area 0 {
|
||||||
interface "core" instance 6 {
|
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.freifunk.ospf.upstreamInstance} {
|
||||||
|
hello 10;
|
||||||
|
wait 20;
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
||||||
};
|
};
|
||||||
|
@ -249,12 +284,35 @@ in {
|
||||||
};
|
};
|
||||||
area 0 {
|
area 0 {
|
||||||
interface "core" {
|
interface "core" {
|
||||||
|
hello 10;
|
||||||
|
wait 20;
|
||||||
authentication cryptographic;
|
authentication cryptographic;
|
||||||
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
${lib.concatStrings (lib.imap0 (i: upstream: ''
|
||||||
|
# OSPFv2 to receive a default route from ${upstream}
|
||||||
|
protocol ospf v2 ZW4_${upstream} {
|
||||||
|
ipv4 {
|
||||||
|
import filter {
|
||||||
|
preference = preference + ${toString (200 - i)};
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
table upstream4_table;
|
||||||
|
};
|
||||||
|
area 0 {
|
||||||
|
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
|
||||||
|
hello 10;
|
||||||
|
wait 20;
|
||||||
|
authentication cryptographic;
|
||||||
|
password "${pkgs.zentralwerk-ospf-message-digest-key}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
'') upstreams)}
|
||||||
|
|
||||||
router id ${coreAddress};
|
router id ${coreAddress};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue
Block a user