hexa- changed the topic of #nixos-on-your-router to: NixOS on your Router
andi- has quit [*.net *.split]
lopsided98 has quit [*.net *.split]
nix-build has joined #nixos-on-your-router
{^_^} has quit [Remote host closed the connection]
andi- has joined #nixos-on-your-router
lopsided98 has joined #nixos-on-your-router
<makefu>
anybody here at the CCCamp2019 in Germany? i am trying to find people doing workshops and stuff. maybe someone here is willing to share what you did with NixOS on your router?
eyJhb has joined #nixos-on-your-router
<eyJhb>
How feasable is it to run NixOS as a router replacement for e.g. pfSense?
<andi->
makefu: I'll be there but I just started migrating yesterday :D
<andi->
eyJhb: very?
<andi->
eyJhb: not sure why NixOS should be less suites then e.g. Debian/Fedora/…. I've been running Debian Linux based routers for the past 20y
<eyJhb>
andi-: but I am guessing that there isn't any nice module for e.g. port forwarding and NAT fun
<andi->
eyJhb: not those are trivial to write?
<andi->
There is a nat module that provides some of those features
<andi->
I always disliked pfsense and the like because most of the time they come with some we interface hiding all the important bits and pieces
<eyJhb>
s/we/web/ ?
<eyJhb>
You are properly right
<andi->
Yeah, sorry mobile
<eyJhb>
Hmm... It would be interesting seeing if I could replace my pfSense with NixOS. But I can't even get to replace my server
<eyJhb>
And my pfSense setup is used for routing traffic with a VPN..
<andi->
eyJhb: what are your roadblocks?
<eyJhb>
I have no clue on how to do 1. Aliases like pfSense (groups of IPs hostnames, etc.) 2. Setting up all clients on my LAN to connect using VPN 3. Portforwarding my server through the VPN
nix-build has quit [Remote host closed the connection]
{^_^} has joined #nixos-on-your-router
<makefu>
andi-: cool thing, if we do not have a workshop for this topic it is fine, be sure to check out the nixos assembly in any case :)
<andi->
makefu: not really a workshop.. I just wasted 8h trying to get IPv6 PD working with networkd…
<makefu>
:D
<andi->
It was ofc (yet again) a setting on a completly unrealted interface…
<andi->
(╯° °)╯︵ ┻━┻)
<gchristensen>
lmk if you want to sppend another 8h making my ipv6 work ;)
<andi->
gchristensen: I started replicating my ISPs setup and then started implementing my "router" side. Knowing both ends makes it a lot easier.
<andi->
Can you provide that ? :P
<gchristensen>
I can provide you root access to my router ...
<andi->
But I am happy to debug with ouy
<andi->
let me first finalize this as I intend to publish a bit of a blog-post-ish about the topic
<andi->
There is really no docuemntation on the internet that I could find.
<andi->
it isn't pretty (yet) but works in the test environment
<gchristensen>
my router would benefit from networkd. with all my vlans I often get a failure during boot
<andi->
having it work on events rather just trying to execute a fixed set of action could probably help.
<andi->
What I am missing is hooks / events from networkd into userspace
<andi->
e.h. dyndns based on the DHCP lease etc..
<gchristensen>
ya.
<flokli>
well, there are plans for networkd to gain a dbus interface. using that, one could subscribe on these events
<andi->
uargh dbus… My experience with avahi and dbus in rust tought me that it isn't a great interface…
<flokli>
well, it's the interface systemd uses for that kind of stuff :shrug:
<flokli>
I doubt it's feasible to add a second one
<andi->
exec?
<flokli>
block?
<flokli>
what happens if this exec script triggers another systemd operation, which might trigger the same hook?
<gchristensen>
systemd deprecated exec in 2017
<flokli>
I guess some sort of pub/sub is ok
<flokli>
dbus isn't the nicest IPC to use, but it's the one we have…
lopsided98 has quit [Quit: Disconnected]
<andi->
Not that I'd use it but I am trying to figure out what `IPMAsquerade=true` actually does.. in my test setup it doesn't setup any firewall rules...
<flokli>
it should enable ip_forward and set up some iptables rule… weird…
<andi->
It just doesn't do it… Probably have to add it to all the interfaces it originates from
<andi->
Actually adding an IPv6 address from the prefix is is using in the router advertisements would be amazing… Not sure how that now is supposed to work /o\
<flokli>
andi-: can you elaborate?
<andi->
well it sends RAs with the prefix 2001:db8:1::/64 on the interface without having an address on the interface. it isn't required to have an address from the range on the interface but I'd almost say a best practice.
<flokli>
you should be able to set Address=:: on a downstream interface, and if you configured it to do IPv6 IA_PD on the upstream interface, it should automatically slice and add a matching address from a /64 on the downstream interface…