#nixos-on-your-router on 2019-05-23

2019-05-13 22:50 hexa- changed the topic of #nixos-on-your-router to: NixOS on your Router

00:01 gchristensen has joined #nixos-on-your-router

00:05 <clever> gchristensen: hairpin nat?, is that when it port-forwards for accessing the pubip from inside its own network?

00:14 <gchristensen> yeah

00:14 <gchristensen> clever:

00:19 <clever> gchristensen: ive done it before, when my router ran linux from scratch, lol

00:19 <clever> ive not bothered doing it on nixos yet, but i remember roughly how it works, i would need to edit nixpkgs to make it work right

00:19 <clever> it basically doubles the number of rules in iptables

00:20 <clever> it needs both snat and dnat, you must mess with the source ip and claim the packets come from 192.168.1.1

00:20 <clever> so when the destination replies to the router, the router can un-nat things

00:21 <gchristensen> ouch

00:21 <clever> without the snat, the dest replies to the origin, and then the reply is coming from the wrong addr, and it fails

00:21 <clever> but nixos would make it possible to do on a per-forwarding basis

00:22 <clever> { destination = "192.168.2.62"; sourcePort = 80; }-

00:22 <clever> could become

00:22 <clever> { destination = "192.168.2.62"; sourcePort = 80; enableHairpin = true; }

00:22 <clever> and then only 80 can hairpin, and your rules dont double

00:22 <clever> back on LFS, it was much simpler, pure custom bash :P

00:24 <gchristensen> "simpler" :D

00:24 <gchristensen> I'd rather just use IPv6 but I've not managed to get that working either.

00:25 <clever> i did have v6 fully working

00:25 <clever> but after updating something, it ceased to forward packets

00:25 <clever> and i noticed a bit late, so i dont know how far to rollback, lol

00:25 <clever> was simpler to just disable v6, rather then fix

00:26 <gchristensen> hehe

00:26 <gchristensen> also maybe your ISP broke it somehow

00:26 <clever> nope, using a tunnel

00:27 <clever> the router itself has working v6

00:27 <clever> but it wont forward packets from the lan

00:27 <gchristensen> ahh

00:27 <gchristensen> huh, do we have the same problem?

00:27 <clever> possibly

00:27 <clever> let me see...

00:28 <clever> i have a wan6 interface on the router, with a v6 ip

00:28 <clever> ping6 fails currently...

00:29 <gchristensen> ehh I'm too tired to actually look in to why it is broken

00:29 <clever> because my ISP changed the v4 addr from 165 to 156 one night

00:29 <clever> and the tunnel is offline

00:29 <gchristensen> heh

00:29 <clever> [root@router:~]# ping6 irc.freenode.net -c 3

00:29 <clever> 64 bytes from leguin.acc.umu.se: icmp_seq=1 ttl=42 time=167 ms

00:29 <clever> PING irc.freenode.net(leguin.acc.umu.se) 56 data bytes

00:30 <clever> ok, tunnel is back online

00:30 <clever> next is radvd

00:30 <clever> services.radvd.enable = true;

00:31 <clever> nixops deploy -d house --include router

00:33 <clever> wait, what? lol

00:33 <clever> router> restarting systemd...

00:33 <clever> ping?

00:34 <clever> gchristensen: ok, i think its back online

00:35 <gchristensen> :)

00:35 <clever> the desktop has noticed radvd, and configured itself

00:35 <clever> `ip addr` and `ip -6 route` look right at a glance

00:36 <clever> but it cant ping

00:37 <clever> [root@router:~]# tcpdump -i enp4s2f1 -p -n ip6 and icmp6

00:37 <clever> 00:36:57.043144 IP6 2001:470:1d:19a:4216:7eff:feb3:3248 > 2001:1ad8:8:6667:5718::: ICMP6, echo request, seq 1, length 64

00:37 <clever> i can see the pings coming into the router LAN port

00:38 <gchristensen> can you see them leaving the WAN port?

00:38 <clever> nothing going out wan or wan6(the tunnel)

00:38 <clever> [root@router:~]# ip -6 route

00:38 <clever> default dev wan6 metric 1024 pref medium

00:38 <clever> but the default route says it should

00:39 <clever> so the router is choosing to not route?

00:39 <clever> [root@router:~]# cat /proc/sys/net/ipv6/conf/all/forwarding

00:39 <clever> 0

00:39 <clever> wait, why is that 0?

00:40 <clever> writting a 1 to it (despite having ran a bash script that does just that) gets the packets going out wan6, but no reply yet

00:40 <clever> 00:40:32.834313 IP6 2001:470:1d:19a:4216:7eff:feb3:3248 > 2001:708:40:2001::f5ee:d0de: ICMP6, echo request, seq 1, length 64

00:40 <clever> From router.local (2001:470:1d:19a:3d38:e4f5:6d3e:2eeb): icmp_seq=1 Destination unreachable: Address unreachable

00:41 <clever> the router is both forwarding the packets, and claiming it cant forward them

00:45 <clever> 2001:470:1d:19a::/64

00:46 <clever> ah, wait, miscounted the bits

00:48 <clever> gchristensen: i'm starting to suspect that it might be the nixos firewall

00:52 <gchristensen> hmmm oh?

00:53 <gchristensen> hmm

00:53 <gchristensen> like the packet marking?

00:53 <clever> previously, nixos didnt touch v6 at all

00:53 <clever> so if you knew the v6 addr of an internal machine, it was like the router wasnt even there

00:53 <clever> so half the house was wide open :P

00:53 <clever> i think somebody "fixed" that

00:54 <clever> i'll need to do more testing...

00:54 <gchristensen> ouch.

00:55 <gchristensen> but

00:55 <gchristensen> hmm

00:55 <gchristensen> other people here have working ipv6 with a nixos router

01:54 v0|d has joined #nixos-on-your-router

04:25 gchristensen has quit [Quit: Connection closed for inactivity]

10:53 gchristensen has joined #nixos-on-your-router

12:43 Guanin has joined #nixos-on-your-router

12:51 Guanin_ has joined #nixos-on-your-router

12:52 Guanin_ has quit [Client Quit]