From 62307984f5435b4a5c9709c35fae576169f7b55d Mon Sep 17 00:00:00 2001 From: RootHost-Stormwind Date: Mon, 26 Jan 2026 15:36:02 +0100 Subject: [PATCH] create l2 bridge incusbr2 --- incus.nix | 3 +- networking.nix | 86 ++++++++++++++++++++++++++++++-------------------- 2 files changed, 52 insertions(+), 37 deletions(-) diff --git a/incus.nix b/incus.nix index 9198144..244f4d9 100644 --- a/incus.nix +++ b/incus.nix @@ -5,14 +5,13 @@ networking = { nftables.enable = true; firewall = { - enable = true; trustedInterfaces = [ "incusbr1" ]; filterForward = true; extraForwardRules = '' # if crusader tries to go to varian or truenas, BLOCK iifname "incusbr1" oifname "incusbr0" drop - iifname "incusbr1" oifname "enp4s0" ip daddr 192.168.0.0/16 drop + iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop ''; interfaces = { diff --git a/networking.nix b/networking.nix index c7ec5ee..ae7760f 100644 --- a/networking.nix +++ b/networking.nix @@ -4,13 +4,14 @@ networking = { hostName = "Stormwind"; networkmanager.enable = false; - defaultGateway = "192.168.0.1"; + nameservers = [ "192.168.0.1" "1.1.1.1" ]; firewall = { - allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2223 990 989 445 111 2049 32765 32768 20048 ]; + enable = true; + allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ]; allowedUDPPorts = [ 111 2049 20048 32765 32768 ]; - trustedInterfaces = [ "incusbr0" ]; + trustedInterfaces = [ "incusbr0" "incusbr2" ]; }; nftables.ruleset = '' @@ -21,42 +22,42 @@ ct state established,related accept # allow new+established VM→Internet - iifname "incusbr0" oifname "enp4s0" ct state new,established accept - iifname "incusbr1" oifname "enp4s0" ct state new,established accept + iifname "incusbr0" oifname "incusbr2" ct state new,established accept + iifname "incusbr1" oifname "incusbr2" ct state new,established accept # allow vm to vm communication iifname "tap*" oifname "tap*" accept # allow natted replies - iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 1883 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 8883 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 9001 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 20 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 21 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50000 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50001 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50002 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50003 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50004 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 50005 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 22 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 2223 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 990 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 989 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 445 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 111 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" udp dport 111 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 2049 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" udp dport 2049 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 32765 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" udp dport 32765 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 32768 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" udp dport 32768 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" tcp dport 20048 ct state new,established accept - iifname "enp4s0" oifname "incusbr0" udp dport 20048 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 443 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 1883 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 8883 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 9001 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 20 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 21 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50000 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50001 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50002 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50003 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50004 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 50005 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 22 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 2223 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 990 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 989 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 445 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 111 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" udp dport 111 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 2049 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" udp dport 2049 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 32765 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" udp dport 32765 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 32768 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" udp dport 32768 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" tcp dport 20048 ct state new,established accept + iifname "incusbr2" oifname "incusbr0" udp dport 20048 ct state new,established accept } } ''; @@ -68,6 +69,9 @@ incusbr1 = { interfaces = []; }; + incusbr2 = { + interfaces = [ "enp4s0" ]; + }; }; interfaces = { @@ -81,12 +85,24 @@ { address = "10.46.33.1"; prefixLength = 24; } ]; }; + incusbr2 = { + ipv4.addresses = [ + { address = "192.168.0.19"; prefixLength = 24; } + ]; + macAddress = "2c:fd:a1:c1:13:b0"; + mtu = 1280; + }; + }; + + defaultGateway = { + address = "192.168.0.1"; + interface = "incusbr2"; }; nat = { enable = true; internalInterfaces = [ "incusbr0" "incusbr1" ]; - externalInterface = "enp4s0"; + externalInterface = "incusbr2"; forwardPorts = [ # Web-UI for home-assistant {