Difference between revisions of "Networking"
m (rollback unauthorized mass edits) Tag: Rollback |
|||
(12 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
− | + | Networking config always goes in your system configuration. | |
+ | |||
+ | == Configuration == | ||
+ | |||
+ | === Static IP for network adapter === | ||
+ | |||
+ | The following example configures a static IPv6 address and a default gateway for the interface <code>ens3</code> | ||
+ | |||
+ | <syntaxhighlight lang="nix"> | ||
+ | networking = { | ||
+ | interfaces = { | ||
+ | ens3.ipv6.addresses = [{ | ||
+ | address = "2a01:4f8:1c1b:16d0::1"; | ||
+ | prefixLength = 64; | ||
+ | }]; | ||
+ | }; | ||
+ | defaultGateway6 = { | ||
+ | address = "fe80::1"; | ||
+ | interface = "ens3"; | ||
+ | }; | ||
+ | }; | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Hosts file === | ||
+ | |||
+ | To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>: | ||
+ | <syntaxhighlight lang="nix"> | ||
+ | networking.hosts = { | ||
+ | "127.0.0.2" = ["other-localhost"]; | ||
+ | "192.0.2.1" = ["mail.example.com" "imap.example.com"]; | ||
+ | }; | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Port forwarding === | ||
+ | |||
+ | In this example we're going to forward the port <code>80</code> via NAT from our internal network interface <code>ens3</code> to the host <code>10.100.0.3</code> on our external interface <code>wg0</code>. | ||
+ | |||
+ | <syntaxhighlight lang="nix"> | ||
+ | networking = { | ||
+ | nftables = { | ||
+ | enable = true; | ||
+ | ruleset = '' | ||
+ | table ip nat { | ||
+ | chain PREROUTING { | ||
+ | type nat hook prerouting priority dstnat; policy accept; | ||
+ | iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80 | ||
+ | } | ||
+ | } | ||
+ | ''; | ||
+ | }; | ||
+ | firewall = { | ||
+ | enable = true; | ||
+ | allowedTCPPorts = [ 80 ]; | ||
+ | }; | ||
+ | nat = { | ||
+ | enable = true; | ||
+ | internalInterfaces = [ "ens3" ]; | ||
+ | externalInterface = "wg0"; | ||
+ | forwardPorts = [ | ||
+ | { | ||
+ | sourcePort = 80; | ||
+ | proto = "tcp"; | ||
+ | destination = "10.100.0.3:80"; | ||
+ | } | ||
+ | ]; | ||
+ | }; | ||
+ | }; | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | For IPv6 port forwarding, the example would look like this. Icoming connections on the address <code>2001:db8::</code> and port <code>80</code> will be forwarded to <code>[fe80::1234:5678:9abc:def0]:80</code>. | ||
+ | |||
+ | <syntaxhighlight lang="nix"> | ||
+ | networking = { | ||
+ | nftables = { | ||
+ | enable = true; | ||
+ | ruleset = '' | ||
+ | table ip6 nat { | ||
+ | chain PREROUTING { | ||
+ | type nat hook prerouting priority dstnat; policy accept; | ||
+ | iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80 | ||
+ | } | ||
+ | } | ||
+ | ''; | ||
+ | }; | ||
+ | firewall = { | ||
+ | enable = true; | ||
+ | allowedTCPPorts = [ 80 ]; | ||
+ | }; | ||
+ | nat = { | ||
+ | enable = true; | ||
+ | internalInterfaces = [ "ens3" ]; | ||
+ | externalInterface = "wg0"; | ||
+ | enableIPv6 = true; | ||
+ | internalIPv6s = [ "2001:db8::/64" ]; | ||
+ | externalIPv6 = "fe80::1234:5678:9abc:def0"; | ||
+ | forwardPorts = [ | ||
+ | { | ||
+ | sourcePort = 80; | ||
+ | proto = "tcp"; | ||
+ | destination = "fe80::1234:5678:9abc:def0]:80"; | ||
+ | } | ||
+ | ]; | ||
+ | }; | ||
+ | }; | ||
+ | </syntaxhighlight> | ||
= IPv6 = | = IPv6 = | ||
Line 5: | Line 109: | ||
== Prefix delegation with fixed DUID == | == Prefix delegation with fixed DUID == | ||
− | Sometimes the hosting provider manages | + | Sometimes the hosting provider manages IPv6 networks via a so-called ''DUID'' or ''clientid''. This snippet is required to make the network routable: |
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
Line 43: | Line 147: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | = | + | = VLANs = |
− | [https://nixos.org/manual/nixos/stable/options.html#opt-networking.vlans | + | Refer to [https://nixos.org/manual/nixos/stable/options.html#opt-networking.vlans {{ic|networking.vlans}} in the manual]. |
− | + | Below is a complete networking example showing two interfaces, one with VLAN trunk tagging and one without. | |
− | + | {{ic|enp2s1}} is a normal network interface at {{ic|192.168.1.2}} with no VLAN information. | |
− | + | {{ic|enp2s0}} is the virtual LAN trunk with two tagged VLANs, {{ic|vlan100}} and {{ic|vlan101}}. | |
− | |||
− | vlan100 | ||
− | |||
− | |||
+ | {{ic|vlan100}} is in the {{ic|10.1.1.X}} network and {{ic|vlan101}} is in the {{ic|10.10.10.X}} network. | ||
+ | The {{ic|hostID}} should be unique among your machines, [https://nixos.org/manual/nixos/stable/options.html#opt-networking.hostId as mentioned in the manual]. | ||
Complete networking section example: | Complete networking section example: | ||
Line 67: | Line 169: | ||
domain = "example.com"; | domain = "example.com"; | ||
dhcpcd.enable = false; | dhcpcd.enable = false; | ||
− | + | interfaces.enp2s1.ipv4.addresses = [{ | |
− | interfaces. | ||
address = "192.168.1.2"; | address = "192.168.1.2"; | ||
prefixLength = 28; | prefixLength = 28; | ||
}]; | }]; | ||
vlans = { | vlans = { | ||
− | vlan100 = { id=100; interface=" | + | vlan100 = { id=100; interface="enp2s0"; }; |
− | vlan101 = { id=101; interface=" | + | vlan101 = { id=101; interface="enp2s0"; }; |
}; | }; | ||
interfaces.vlan100.ipv4.addresses = [{ | interfaces.vlan100.ipv4.addresses = [{ | ||
Line 80: | Line 181: | ||
prefixLength = 24; | prefixLength = 24; | ||
}]; | }]; | ||
− | + | interfaces.vlan101.ipv4.addresses = [{ | |
− | + | address = "10.10.10.3"; | |
− | + | prefixLength = 24; | |
− | + | }]; | |
defaultGateway = "192.168.1.1"; | defaultGateway = "192.168.1.1"; | ||
nameservers = [ "1.1.1.1" "8.8.8.8" ]; | nameservers = [ "1.1.1.1" "8.8.8.8" ]; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> |
Latest revision as of 10:54, 6 April 2024
Networking config always goes in your system configuration.
Configuration
Static IP for network adapter
The following example configures a static IPv6 address and a default gateway for the interface ens3
networking = {
interfaces = {
ens3.ipv6.addresses = [{
address = "2a01:4f8:1c1b:16d0::1";
prefixLength = 64;
}];
};
defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
};
Hosts file
To edit /etc/hosts
just add something like this to your configuration.nix
:
networking.hosts = {
"127.0.0.2" = ["other-localhost"];
"192.0.2.1" = ["mail.example.com" "imap.example.com"];
};
Port forwarding
In this example we're going to forward the port 80
via NAT from our internal network interface ens3
to the host 10.100.0.3
on our external interface wg0
.
networking = {
nftables = {
enable = true;
ruleset = ''
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "ens3" tcp dport 80 dnat to 10.100.0.3:80
}
}
'';
};
firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
nat = {
enable = true;
internalInterfaces = [ "ens3" ];
externalInterface = "wg0";
forwardPorts = [
{
sourcePort = 80;
proto = "tcp";
destination = "10.100.0.3:80";
}
];
};
};
For IPv6 port forwarding, the example would look like this. Icoming connections on the address 2001:db8::
and port 80
will be forwarded to [fe80::1234:5678:9abc:def0]:80
.
networking = {
nftables = {
enable = true;
ruleset = ''
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
iifname "ens3" ip6 daddr [2001:db8::] tcp dport 80 dnat to [fe80::1234:5678:9abc:def0]:80
}
}
'';
};
firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
nat = {
enable = true;
internalInterfaces = [ "ens3" ];
externalInterface = "wg0";
enableIPv6 = true;
internalIPv6s = [ "2001:db8::/64" ];
externalIPv6 = "fe80::1234:5678:9abc:def0";
forwardPorts = [
{
sourcePort = 80;
proto = "tcp";
destination = "fe80::1234:5678:9abc:def0]:80";
}
];
};
};
IPv6
Prefix delegation with fixed DUID
Sometimes the hosting provider manages IPv6 networks via a so-called DUID or clientid. This snippet is required to make the network routable:
{ config, pkgs, ... }:
let
# Get this from your hosting provider
clientid = "00:11:22:33:44:55:66:77:88:99";
interface = "enp2s0";
subnet = "56";
network = "2001:bbb:3333:1111::/${subnet}";
own_ip = "2001:bbb:3333:1111::1/${subnet}";
in {
# ... snip ...
networking.enableIPv6 = true;
networking.useDHCP = true;
networking.dhcpcd.persistent = true;
networking.dhcpcd.extraConfig = ''
clientid "${clientid}"
noipv6rs
interface ${interface}
ia_pd 1/${network} ${interface}
static ip6_address=${own_ip}
'';
environment.etc."dhcpcd.duid".text = clientid;
}
Source: gleber gist for online.net IPv6 config in NixOS
Note: Recent versions of dhcpcd move the duid file to /var/db/dcpcd/duid. For that to work, you have to replace the above environment.etc line with something like:
systemd.services.dhcpcd.preStart = ''
cp ${pkgs.writeText "duid" "<ID>"} /var/db/dhcpcd/duid
'';
VLANs
Refer to networking.vlans
in the manual.
Below is a complete networking example showing two interfaces, one with VLAN trunk tagging and one without.
enp2s1
is a normal network interface at 192.168.1.2
with no VLAN information.
enp2s0
is the virtual LAN trunk with two tagged VLANs, vlan100
and vlan101
.
vlan100
is in the 10.1.1.X
network and vlan101
is in the 10.10.10.X
network.
The hostID
should be unique among your machines, as mentioned in the manual.
Complete networking section example:
networking = {
hostId = "deadb33f";
hostName = "nixos";
domain = "example.com";
dhcpcd.enable = false;
interfaces.enp2s1.ipv4.addresses = [{
address = "192.168.1.2";
prefixLength = 28;
}];
vlans = {
vlan100 = { id=100; interface="enp2s0"; };
vlan101 = { id=101; interface="enp2s0"; };
};
interfaces.vlan100.ipv4.addresses = [{
address = "10.1.1.2";
prefixLength = 24;
}];
interfaces.vlan101.ipv4.addresses = [{
address = "10.10.10.3";
prefixLength = 24;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
};