Skip to content

[READY] - nixos-modules.routers.border: heTunnelEnable bool and passive ifaces#1110

Open
sarcasticadmin wants to merge 5 commits intomasterfrom
rh/1772318010
Open

[READY] - nixos-modules.routers.border: heTunnelEnable bool and passive ifaces#1110
sarcasticadmin wants to merge 5 commits intomasterfrom
rh/1772318010

Conversation

@sarcasticadmin
Copy link
Member

Description of PR

Fixes: #1094

Mimic the existing firewall rules we have in dev environment in fmt2:

networking.nftables.ruleset = ''
table inet filter {
chain INPUT {
type filter hook input priority filter;
policy drop;
# Show internal traffic (To the router only via the management net)
iifname { bridge103 } accept;
# Allow traffic from Owen's network
ip6 saddr 2620:0:930::/48 accept;
# Existing Flows
ct state established,related accept;
# Drop traffic to the show IPv6 network
ip6 daddr 2001:470:f026::/48 counter drop;
# PING
meta l4proto { icmp, ipv6-icmp } accept;
log prefix "NFINP-DROP: " accept;
}
chain FORWARD {
type filter hook forward priority filter;
policy drop;
# Show internal traffic
iifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110 } oifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110} counter accept
iifname { bridge100, bridge101, bridge102, bridge103, bridge104, bridge105, bridge107, bridge110 } oifname copper0 counter accept
# Existing Flows
ct state established,related accept;
# Owen's Network
ip6 saddr 2620:0:930::/48 accept;
# PING
meta l4proto { icmp, ipv6-icmp } accept;
# Drop inbound IPv6 traffic not matched above
ip6 daddr 2001:470:f026::/48 counter drop;
log prefix "NFFWD-DROP: " accept;
}
chain OUTPUT {
type filter hook output priority filter;
accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "copper0" ip daddr 0.0.0.0/0 counter masquerade
}
}
'';

Additionally we include the he tunnel which is also enabled in the offseason on the same router:

"20-hetunnel" = {
netdevConfig = {
Name = "he-tunnel";
Kind = "sit";
MTUBytes = 1480;
};
tunnelConfig = {
Local = "192.159.10.47";
Remote = "66.220.18.42";
};

Previous Behavior

  • HE Tunnel only existed on scale-border-fmt2
  • Border firewall was only configured for NAT
  • ipv6 interfaces for border were not passive

New Behavior

  • Enabling the complete firewall for border
  • Add boolean to border module for HE tunnel
  • ipv6 passive interfaces for border: WAN, bridge103
  • RA config for backdoor0 on all routers

Tests

  • Confirmed HE systemd-units between heTunnelEnable toggle:
nix build .#nixosConfigurations.router-conf.config.system.build.toplevel
ls -lah results/etc/systemd/network/*-hetunnel*
  • Applied routers configs to border expo and conf bare metal and frr and pings looked good
  • Confirmed passive ifaces on border in vtysh: show ip ipv6 opsf6 interaces looking for No Hellos (Passive interface) on WAN and bridge103

"bridge104" # expo
"bridge901" # cf
];
# service.frr.passive-interface add 103 and 104 later
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we didnt want 104 here after all since its actually a broadcast interface after the shuffle in #1108

type filter hook input priority filter;
policy drop;
# Show internal traffic (To the router only via the management net)
iifname { bridge103, backdoor0 } accept;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

slight deviations from the router-fmt2 config: Including backdoor0 so that interface is still useful

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might rename the 192.159.10.0/25 interface on FMT2 to backdoor0 to reflect its similar purpose.

type filter hook forward priority filter;
policy drop;
# Show internal traffic
iifname { bridge103, bridge104, bridge901, bridge903 } oifname { bridge103, bridge104, bridge901, bridge903 } counter accept
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These bridges were paired down since we dont have as many as we do on router-fmt2 (since its more like a border + expo config)

@sarcasticadmin sarcasticadmin changed the title [READY] - nixos-modules.routers.border: heTunnelEnable bool and passive interfaces [READY] - nixos-modules.routers.border: heTunnelEnable bool and passive ifaces Mar 1, 2026
@MrHamel
Copy link
Contributor

MrHamel commented Mar 1, 2026

Seems sound to me. Would approve if I could...

Copy link
Collaborator

@owendelong owendelong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great... Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Setup HE Tunnel for systemd.networkd router-scale-br-fmt2

3 participants