doc: improve advanced-network

astro · astro · commit 6f7e4a7bfcdc · 2025-01-12T00:13:57.000+01:00
diff --git a/doc/src/advanced-network.md b/doc/src/advanced-network.md
@@ -1,41 +1,39 @@
 # Advanced network setup
 
 Renting a server in a datacenter usually gets you one IP address. You
-should not bridge your local VM traffic together with the physical
-Ethernet uplink port. Instead, setup a bridge only for the Virtual
-Machines, and provide them with Internet through NAT just like your
-plastic ADSL router at home.
-
+must not bridge your local VM traffic together with the physical
+Ethernet uplink port. Instead, setup a host-internal bridge for the
+Virtual Machines, and provide them with Internet through NAT just like
+your plastic ADSL router at home.
 
 ## A bridge to link TAP interfaces
 
 Instead of placing MicroVMs directly on a LAN, one can also use a TAP
 interface to get a virtual Ethernet interface on the host. Although it
-is possible to assign individual IP configuration to these individual
-interfaces, let us avoid the additional configuration effort and
-create a bridge instead:
+is possible to [assign individual IP
+configuration](./routed-network.md) to these individual interfaces,
+let us avoid the additional configuration effort and create a bridge
+instead:
 
 ```nix
-systemd.network = {
-  netdevs."10-microvm".netdevConfig = {
-    Kind = "bridge";
-    Name = "microvm";
-  };
-  networks."10-microvm" = {
-    matchConfig.Name = "microvm";
-    networkConfig = {
-      DHCPServer = true;
-      IPv6SendRA = true;
-    };
-    addresses = [ {
-      addressConfig.Address = "10.0.0.1/24";
-    } {
-      addressConfig.Address = "fd12:3456:789a::1/64";
-    } ];
-    ipv6Prefixes = [ {
-      ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64";
-    } ];
+systemd.network.netdevs."10-microvm".netdevConfig = {
+  Kind = "bridge";
+  Name = "microvm";
+};
+systemd.network.networks."10-microvm" = {
+  matchConfig.Name = "microvm";
+  networkConfig = {
+    DHCPServer = true;
+    IPv6SendRA = true;
   };
+  addresses = [ {
+    addressConfig.Address = "10.0.0.1/24";
+  } {
+    addressConfig.Address = "fd12:3456:789a::1/64";
+  } ];
+  ipv6Prefixes = [ {
+    ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64";
+  } ];
 };
 
 # Allow inbound traffic for the DHCP server
@@ -50,12 +48,10 @@ Last, the TAP interfaces of MicroVMs shall be attached to this central
 bridge. Make sure your `matchConfig` matches just the interfaces you
 want!
 ```nix
-systemd.network = {
-  networks."11-microvm" = {
-    matchConfig.Name = "vm-*";
-    # Attach to the bridge that was configured above
-    networkConfig.Bridge = "microvm";
-  };
+systemd.network.networks."11-microvm" = {
+  matchConfig.Name = "vm-*";
+  # Attach to the bridge that was configured above
+  networkConfig.Bridge = "microvm";
 };
 ```
 
@@ -71,9 +67,13 @@ MicroVMs. NAT works for this address family, too!
 ```nix
 networking.nat = {
   enable = true;
+  # NAT66 exists and works. But if you have a proper subnet in
+  # 2000::/3 you should route that and remove this setting:
   enableIPv6 = true;
+
   # Change this to the interface with upstream Internet access
   externalInterface = "eth0";
+  # The bridge where you want to provide Internet access
   internalInterfaces = [ "microvm" ];
 };
 ```
