#nixos-on-your-router on 2019-08-11

2019-05-13 22:50 hexa- changed the topic of #nixos-on-your-router to: NixOS on your Router

03:12 andi- has quit [*.net *.split]

03:12 lopsided98 has quit [*.net *.split]

03:14 nix-build has joined #nixos-on-your-router

03:14 {^_^} has quit [Remote host closed the connection]

03:15 andi- has joined #nixos-on-your-router

03:16 lopsided98 has joined #nixos-on-your-router

08:39 <makefu> anybody here at the CCCamp2019 in Germany? i am trying to find people doing workshops and stuff. maybe someone here is willing to share what you did with NixOS on your router?

09:29 eyJhb has joined #nixos-on-your-router

09:29 <eyJhb> How feasable is it to run NixOS as a router replacement for e.g. pfSense?

11:39 <andi-> makefu: I'll be there but I just started migrating yesterday :D

11:39 <andi-> eyJhb: very?

11:40 <andi-> eyJhb: not sure why NixOS should be less suites then e.g. Debian/Fedora/…. I've been running Debian Linux based routers for the past 20y

11:53 <eyJhb> andi-: but I am guessing that there isn't any nice module for e.g. port forwarding and NAT fun

11:57 <andi-> eyJhb: not those are trivial to write?

11:58 <andi-> There is a nat module that provides some of those features

11:58 <andi-> I always disliked pfsense and the like because most of the time they come with some we interface hiding all the important bits and pieces

11:59 <eyJhb> s/we/web/ ?

11:59 <eyJhb> You are properly right

11:59 <andi-> Yeah, sorry mobile

12:00 <eyJhb> Hmm... It would be interesting seeing if I could replace my pfSense with NixOS. But I can't even get to replace my server

12:00 <eyJhb> And my pfSense setup is used for routing traffic with a VPN..

12:13 <andi-> eyJhb: what are your roadblocks?

12:27 <eyJhb> I have no clue on how to do 1. Aliases like pfSense (groups of IPs hostnames, etc.) 2. Setting up all clients on my LAN to connect using VPN 3. Portforwarding my server through the VPN

17:45 nix-build has quit [Remote host closed the connection]

17:46 {^_^} has joined #nixos-on-your-router

18:07 <makefu> andi-: cool thing, if we do not have a workshop for this topic it is fine, be sure to check out the nixos assembly in any case :)

18:12 <andi-> makefu: not really a workshop.. I just wasted 8h trying to get IPv6 PD working with networkd…

18:12 <makefu> :D

18:12 <andi-> It was ofc (yet again) a setting on a completly unrealted interface…

18:12 <andi-> (╯° °）╯︵ ┻━┻)

18:12 <gchristensen> lmk if you want to sppend another 8h making my ipv6 work ;)

18:13 <andi-> gchristensen: I started replicating my ISPs setup and then started implementing my "router" side. Knowing both ends makes it a lot easier.

18:13 <andi-> Can you provide that ? :P

18:13 <gchristensen> I can provide you root access to my router ...

18:13 <andi-> But I am happy to debug with ouy

18:14 <andi-> let me first finalize this as I intend to publish a bit of a blog-post-ish about the topic

18:14 <andi-> There is really no docuemntation on the internet that I could find.

18:20 <andi-> If anyone is looking for an PD example: https://git.darmstadt.ccc.de/andi/nixos-router-config/tree/master/modules/router

18:20 <andi-> it isn't pretty (yet) but works in the test environment

18:21 <gchristensen> my router would benefit from networkd. with all my vlans I often get a failure during boot

18:25 <andi-> having it work on events rather just trying to execute a fixed set of action could probably help.

18:25 <andi-> What I am missing is hooks / events from networkd into userspace

18:26 <andi-> e.h. dyndns based on the DHCP lease etc..

18:26 <gchristensen> ya.

18:39 <flokli> well, there are plans for networkd to gain a dbus interface. using that, one could subscribe on these events

18:40 <andi-> uargh dbus… My experience with avahi and dbus in rust tought me that it isn't a great interface…

18:41 <flokli> well, it's the interface systemd uses for that kind of stuff :shrug:

18:41 <flokli> I doubt it's feasible to add a second one

18:41 <andi-> exec?

18:42 <flokli> block?

18:42 <flokli> what happens if this exec script triggers another systemd operation, which might trigger the same hook?

18:42 <gchristensen> systemd deprecated exec in 2017

18:43 <flokli> I guess some sort of pub/sub is ok

18:43 <flokli> dbus isn't the nicest IPC to use, but it's the one we have…

18:47 lopsided98 has quit [Quit: Disconnected]

18:49 <andi-> Not that I'd use it but I am trying to figure out what `IPMAsquerade=true` actually does.. in my test setup it doesn't setup any firewall rules...

18:50 <flokli> it should enable ip_forward and set up some iptables rule… weird…

18:51 lopsided98 has joined #nixos-on-your-router

18:51 <andi-> Ip know

18:51 <flokli> https://github.com/systemd/systemd/blob/64ef83139cf84a700b95e8150a458b0bb9f720de/src/network/networkd-address.c#L224

18:51 <andi-> It just doesn't do it… Probably have to add it to all the interfaces it originates from

19:06 <andi-> Actually adding an IPv6 address from the prefix is is using in the router advertisements would be amazing… Not sure how that now is supposed to work /o\

19:09 <flokli> andi-: can you elaborate?

19:10 <andi-> well it sends RAs with the prefix 2001:db8:1::/64 on the interface without having an address on the interface. it isn't required to have an address from the range on the interface but I'd almost say a best practice.

19:11 <flokli> you should be able to set Address=:: on a downstream interface, and if you configured it to do IPv6 IA_PD on the upstream interface, it should automatically slice and add a matching address from a /64 on the downstream interface…

19:15 <andi-> Nope