finalize netconfig simplification

realize l2 bridge utilization in vhosts
2026-01-26 23:34:48 +01:00 · 2026-01-26 21:06:13 +01:00
4 changed files with 36 additions and 237 deletions
--- a/drives.nix
+++ b/drives.nix
@@ -6,7 +6,7 @@
    #  fsType = "nfs";
    #};
    "/mnt/nethergarde/leonhome" = {
-      device = "10.46.32.2:/mnt/Nethergarde/Home";
+      device = "192.168.0.16:/mnt/Nethergarde/Home";
      fsType = "nfs";
    };
    #"/mnt/nethergarde/bigdata" = {
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@@ -39,7 +39,12 @@
      RUN+="/bin/sh -c 'modprobe ahci; echo 0000:08:00.0 > /sys/bus/pci/drivers_probe'"
  '';

-  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.bridge.bridge-nf-call-iptables" = 0;
+    "net.bridge.bridge-nf-call-ip6tables" = 0;
+    "net.bridge.bridge-nf-call-arptables" = 0;
+  };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
--- a/incus.nix
+++ b/incus.nix
@@ -3,29 +3,41 @@
 {
  virtualisation.incus.enable = true;
  networking = {
-    nftables.enable = true;
-    firewall = {
-      trustedInterfaces = [ "incusbr1" ];
-      filterForward = true;
+    nftables = {
+      enable = true;
+      ruleset = ''
+       table inet crusader_isolation {
+        chain fwd_pre {
+          type filter hook forward priority -200; policy accept;

-      extraForwardRules = ''
-        # if crusader tries to go to varian or truenas, BLOCK
-        iifname "incusbr1" oifname "incusbr0" drop
-        iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop
+          # Crusader-Netz darf NICHT ins LAN
+          iifname "incusbr1" ip daddr 192.168.0.0/16 drop
+        }
+       }
      '';
+    }
+    firewall = {
+      trustedInterfaces = [ "incusbr2" ];
+      filterForward = false;

      interfaces = {
-        incusbr0 = {
-          allowedTCPPorts = [ 53 67 ];
-          allowedUDPPorts = [ 53 67 ];
-        };
        incusbr1 = {
          allowedTCPPorts = [ 53 ];
-          allowedUDPPorts = [ 53 67 68 ];
+          allowedUDPPorts = [
+            53
+            67
+            68
+            41641  # Tailscale / WireGuard
+          ];
        };
-      };
+      }; 
+    };

-      
+    nat = {
+      enable = true;
+      externalInterface = "incusbr2";
+      internalInterfaces = [ "incusbr1" ];
+      internalIPs = [ "10.46.33.0/24" ];
    };
  };

--- a/networking.nix
+++ b/networking.nix
@@ -9,63 +9,11 @@

    firewall = {
      enable = true;
-      allowedTCPPorts = [ 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ];
-      allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
-      trustedInterfaces = [ "incusbr0" "incusbr2" ];
+      allowedTCPPorts = [ 53 2222 ];
+      allowedUDPPorts = [ 53 67 68 ];
    };

-    nftables.ruleset = ''
-      table ip filter {
-        chain forward {
-          type filter hook forward priority 0; policy drop;
-          # allow established/related replies
-          ct state established,related accept
-
-          # allow new+established VM→Internet
-          iifname "incusbr0" oifname "incusbr2" ct state new,established accept
-          iifname "incusbr1" oifname "incusbr2" ct state new,established accept
-
-          # allow vm to vm communication 
-          iifname "tap*" oifname "tap*" accept
-
-          # allow natted replies
-          iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 443 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 1883 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 8883 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 9001 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 20 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 21 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50000 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50001 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50002 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50003 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50004 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 50005 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 22 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 2223 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 990 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 989 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 445 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 111 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" udp dport 111 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 2049 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" udp dport 2049 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 32765 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" udp dport 32765 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 32768 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" udp dport 32768 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" tcp dport 20048 ct state new,established accept
-          iifname "incusbr2" oifname "incusbr0" udp dport 20048 ct state new,established accept
-        }
-      }
-    '';
-
    bridges = {
-      incusbr0 = {
-        interfaces = [];
-      };
      incusbr1 = {
        interfaces = [];
      };
@@ -75,11 +23,6 @@
    };

    interfaces = {
-      incusbr0 = {
-        ipv4.addresses = [
-          { address = "10.46.32.1"; prefixLength = 24; }
-        ];
-      };
      incusbr1 = {
        ipv4.addresses = [
          { address = "10.46.33.1"; prefixLength = 24; }
@@ -90,7 +33,6 @@
          { address = "192.168.0.19"; prefixLength = 24; }
        ];
        macAddress = "2c:fd:a1:c1:13:b0";
-        mtu = 1280;
      };
    };
    
@@ -98,166 +40,6 @@
      address = "192.168.0.1";
      interface = "incusbr2";
    };
-
-    nat = {
-      enable = true;
-      internalInterfaces = [ "incusbr0" "incusbr1" ];
-      externalInterface = "incusbr2";
-      forwardPorts = [
-        # Web-UI for home-assistant
-        {
-          sourcePort = 8123;
-          proto = "tcp";
-          destination = "10.46.32.153:8123";
-        }
-        # Web-UI for nas
-        {
-          sourcePort = 80;
-          proto = "tcp";
-          destination = "10.46.32.2:80";
-        }
-        {
-          sourcePort = 443;
-          proto = "tcp";
-          destination = "10.46.32.2:443";
-        }
-        # MQTT
-        {
-          sourcePort = 1883;
-          proto = "tcp";
-          destination = "10.46.32.153:1883";
-        }
-        {
-          sourcePort = 8883;
-          proto = "tcp";
-          destination = "10.46.32.153:8883";
-        }
-        {
-          sourcePort = 9001;
-          proto = "tcp";
-          destination = "10.46.32.153:9001";
-        }
-        # FTP
-        {
-          sourcePort = 20;
-          proto = "tcp";
-          destination = "10.46.32.2:20";
-        }
-        {
-          sourcePort = 21;
-          proto = "tcp";
-          destination = "10.46.32.2:21";
-        }
-        # FTP Passive Ports
-        {
-          sourcePort = 50000;
-          proto = "tcp";
-          destination = "10.46.32.2:50000";
-        }
-        {
-          sourcePort = 50001;
-          proto = "tcp";
-          destination = "10.46.32.2:50001";
-        }
-        {
-          sourcePort = 50002;
-          proto = "tcp";
-          destination = "10.46.32.2:50002";
-        }
-        {
-          sourcePort = 50003;
-          proto = "tcp";
-          destination = "10.46.32.2:50003";
-        }
-        {
-          sourcePort = 50004;
-          proto = "tcp";
-          destination = "10.46.32.2:50004";
-        }
-        {
-          sourcePort = 50005;
-          proto = "tcp";
-          destination = "10.46.32.2:50005";
-        }
-        {
-          sourcePort = 22;
-          proto = "tcp";
-          destination = "10.46.32.2:22";
-        }
-        {
-          sourcePort = 2223;
-          proto = "tcp";
-          destination = "10.46.32.2:2223";
-        }
-        {
-          sourcePort = 990;
-          proto = "tcp";
-          destination = "10.46.32.2:990";
-        }
-        {
-          sourcePort = 989;
-          proto = "tcp";
-          destination = "10.46.32.2:989";
-        }
-        # SMB
-        {
-          sourcePort = 445;
-          proto = "tcp";
-          destination = "10.46.32.2:445";
-        }
-        # NFS
-        {
-          sourcePort = 111;
-          proto = "tcp";
-          destination = "10.46.32.2:111";
-        }
-        {
-          sourcePort = 111;
-          proto = "udp";
-          destination = "10.46.32.2:111";
-        }
-        {
-          sourcePort = 2049;
-          proto = "tcp";
-          destination = "10.46.32.2:2049";
-        }
-        {
-          sourcePort = 2049;
-          proto = "udp";
-          destination = "10.46.32.2:2049";
-        }
-        {
-          sourcePort = 32765;
-          proto = "tcp";
-          destination = "10.46.32.2:32765";
-        }
-        {
-          sourcePort = 32765;
-          proto = "udp";
-          destination = "10.46.32.2:32765";
-        }
-        {
-          sourcePort = 32768;
-          proto = "tcp";
-          destination = "10.46.32.2:32768";
-        }
-        {
-          sourcePort = 32768;
-          proto = "udp";
-          destination = "10.46.32.2:32768";
-        }
-        {
-          sourcePort = 20048;
-          proto = "tcp";
-          destination = "10.46.32.2:20048";
-        }
-        {
-          sourcePort = 20048;
-          proto = "udp";
-          destination = "10.46.32.2:20048";
-        }
-      ];
-    };
  };
 }
Author	SHA1	Message	Date
RootHost-Stormwind	307db6c3a2	finalize netconfig simplification	2026-01-26 23:34:48 +01:00
RootHost-Stormwind	03a75c33e9	realize l2 bridge utilization in vhosts	2026-01-26 21:06:13 +01:00