#nixos-on-your-router on 2020-03-13

2019-08-19 13:17 eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router

00:47 <hexa-> ottidmes: don't use dnsmasq if you can

00:48 <hexa-> Unbound and kresd are far better resolvers

00:48 <hexa-> dnsmasq is an embedded devices product with lots of compromises

01:16 ottidmes has quit [Ping timeout: 240 seconds]

10:02 ottidmes has joined #nixos-on-your-router

10:05 <ottidmes> hexa-: Thanks for the info! Then I won't bother with dnsmasq anymore, the router is powerful enough to do pretty much anything, I could replace my parents desktop with it probably :P so it should handle heavier software than dnsmasq just fine

10:12 <ottidmes> I see someone on the kresd team is someone from the NixOS community, cool

10:14 <ottidmes> And used by 1.1.1.1, that's awesome

10:18 <thefloweringash> the main reason I've been using dnsmasq is to have easy reverse dns for dhcp leases

10:18 <thefloweringash> I've set it up with the isc components before, but didn't enjoy it and went back to dnsmasq

10:18 <thefloweringash> what's the story with kresd + ... ?

10:21 <ottidmes> So far I have read, most people that tried kresd were very positive about it and kept using it, haven't used it myself, I guess you would use it with dhcpd, but not sure if there are alternative to that

10:24 <ottidmes> thefloweringash: https://forum.turris.cz/t/dnsmasq-vs-kresd/9562/5 (so yeah DHCPv4)

10:29 <ottidmes> thefloweringash: this seems relevant for your reverse dns: https://forum.turris.cz/t/kresd-reverse-dns-for-local-addresses/11171

10:34 <ottidmes> thefloweringash: this maybe: https://knot-resolver.readthedocs.io/en/stable/modules-hints.html#static-hints

14:46 claudiii has joined #nixos-on-your-router

15:55 ottidmes has quit [Ping timeout: 255 seconds]

16:41 ottidmes has joined #nixos-on-your-router

17:27 <ottidmes> I am working on my router config at the moment, the router configs I see at the moment have all their vlans on a bridge, that would be tagged vlans then? With my 6 gigabit port router, there is no need, right? (my knowledge about networking is still not quite at the level you would need to run your own router, but what better way to learn then to setup your own :P)

17:29 <cransom> i don't have my vlans on a bridge, just a single interface. do you have a managed/vlan capable switch?

17:31 <ottidmes> vlan capable switch, you mean as its own device? I have mostly TP-Link 8 port switches laying around

17:32 <cransom> you can configure a vlan on your router, but if the device on the other end (being another router or a switch) doesn't speak vlans, it won't work. if you have 6 ports on your router, you'll probably just be doing your own bridging. there won't be vlans.

17:32 <cransom> you should make a diagram.

17:33 <cransom> talking about networks is like dancing about architecture.

17:33 <ottidmes> I do now have like 4 different subnets in terms of cabling that come together where the router will be

17:34 <ottidmes> I mostly have these switches: https://www.tp-link.com/us/home-networking/8-port-switch/tl-sg108/

17:34 <cransom> subnets aren't vlans though. you can have whatever layer3 you want on your layer 2.

17:34 <ottidmes> And this as the router: https://www.amazon.co.uk/Kettop-Mi7100L6-Firewall-Support-Barebone/dp/B07L5QMW83/

17:34 <cransom> right. you can't use tagged vlans on that switch.

17:35 <ottidmes> but I can use port based vlans, right?

17:35 <cransom> that's just a lan.

17:36 <ottidmes> Ah, so I would end up with four LANs that come together in the same router?

17:36 <cransom> vlan means (at least currently) devices speaking 802.1q

17:37 <cransom> i really, really suggest a diagram. it will help you rubber duck this out at the very least.

17:37 <ottidmes> What would I be diagramming then?

17:37 <cransom> physical connections and the subnets you are using.

17:38 <cransom> https://www.reddit.com/r/RMND/ for inspiration.

17:38 <ottidmes> A got that already, not as a diagram per se, but that part is crystal clear

17:39 <ottidmes> Got a nice Nix structure stating all devices in each vlan (guess I have to start renaming them)

17:39 <ottidmes> And this is based on reality, I copied the data straight out of my current router's DHCP config

17:40 <ottidmes> I am just trying to understand how to approach my firewall and other networking config

17:42 <cransom> and i'd love to help, but the terminology barrier is making it hard as you keep saying vlans, but you aren't going to have vlans. as far as i know.

17:44 <ottidmes> Sorry for that confusion, but other than that, it is just 4 seperated groups of ethernet connected devices coming seperately at the place where the router is

17:45 <cransom> ok, then yes. no vlans involved. maybe some bridging for one subnet on 2 ports.

17:47 <ottidmes> Right, so if I connected one device to one of the left over ports, but it should be part of one of the other ports subnet, I would use a bridge, connecting those two interfaces as one?

17:48 <cransom> correct

17:50 <ottidmes> and the ACCEPT/DROP names in calls to iptables, how are they different from nixos-fw-refuse and kind?

17:52 <cransom> i'm not sure i follow the question.

17:53 <ottidmes> I am looking at: https://github.com/disassembler/network/blob/master/portal/default.nix#L141-L232

17:54 <cransom> why use nixos-fw-refuse instead just a drop?

17:54 <ottidmes> And wondering if there is any special meaning to -j nixos-fw-accept compared to -j ACCEPT, or that ACCEPT is just the default from iptables and the nixos-fw- ones are just there to make clear they have been defined by nixos

17:54 <ottidmes> Basically that question, yes

17:55 <cransom> it makes statistics nicer if you use it. iptables -vL and you see packets/bytes by each rule.

17:56 <cransom> but, it's just organization/style.

17:57 <ottidmes> Ah, thanks for clearing that up :)

18:03 <ottidmes> And to make sure any guest device does not communicate to anything in the network, except the internet, I would use this rule repeatedly for those interfaces, right? ip46tables -A FORWARD -m state --state NEW -i guest -o guest -j DROP (but also for -o home, -o pro, for each of the LAN interfaces)

18:06 <cransom> that would allow devices from home to connect to guest though. if you don't want that, i would remove the state checking.

18:07 <ottidmes> good call, thanks

18:21 <ottidmes> And probably a dumb question, why is that enough to also block home going in to guest? Naively I would have expected the need for: ip46tables -A FORWARD -i home -o guest -j DROP, too (i.e. the other way around in terms of in/out)

18:24 <cransom> it's mostly enough. technically you can get packets from home to guest, but if there's no state check, guest->home traffic is dropped.

18:25 <cransom> doing the opposite would be good hygiene.

18:26 <ottidmes> Ah, then I will add them :)

18:26 <cransom> the well set up firewalls drop all traffic by default, but it's extra admin overhead so typically not a thing on residential setups.

18:57 <ottidmes> this is my config so far: https://gist.github.com/msteen/13921e666f5df1ea432a4cc2016c39f7#file-router-nix-L77-L106

19:54 eyJhb has quit [Remote host closed the connection]

19:58 eyJhb has joined #nixos-on-your-router

19:58 eyJhb has quit [Changing host]

21:35 <ottidmes> Anyone has a kresd.conf/services.kresd.extraConfig I could look at?

22:03 <makefu> ottidmes: Mic92 uses kresd for his machines: https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/kresd.nix

22:12 <ottidmes> makefu: Thanks, guess there simply isn't much to configure

22:55 Orbstheorem has joined #nixos-on-your-router

22:56 Orbstheorem has quit [Client Quit]

22:58 Orbstheorem has joined #nixos-on-your-router