nixos/estuary: Update networking config for iFog and new IXPs
This commit is contained in:
parent
950bcb3055
commit
7c523633f4
@ -44,7 +44,7 @@ in
|
|||||||
|
|
||||||
protocol device {}
|
protocol device {}
|
||||||
protocol direct {
|
protocol direct {
|
||||||
interface "wan", "frys-ix";
|
interface "wan", "frys-ix", "nl-ix", "fogixp", "ifog-transit";
|
||||||
ipv4;
|
ipv4;
|
||||||
ipv6;
|
ipv6;
|
||||||
}
|
}
|
||||||
@ -64,7 +64,7 @@ in
|
|||||||
import none;
|
import none;
|
||||||
export filter {
|
export filter {
|
||||||
if net ~ OWNNETSET4 then reject;
|
if net ~ OWNNETSET4 then reject;
|
||||||
krt_prefsrc = OWNIP4;
|
#krt_prefsrc = OWNIP4;
|
||||||
accept;
|
accept;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -75,7 +75,7 @@ in
|
|||||||
export filter {
|
export filter {
|
||||||
if net = HOMENET6 then accept;
|
if net = HOMENET6 then accept;
|
||||||
if net ~ OWNNETSET6 then reject;
|
if net ~ OWNNETSET6 then reject;
|
||||||
krt_prefsrc = OWNIP6;
|
#krt_prefsrc = OWNIP6;
|
||||||
accept;
|
accept;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -176,6 +176,11 @@ in
|
|||||||
neighbor 2a02:898:0:20::e1 as 8283;
|
neighbor 2a02:898:0:20::e1 as 8283;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protocol bgp upstream6_ifog from upstream_bgp6 {
|
||||||
|
description "iFog transit (IPv6)";
|
||||||
|
neighbor 2a0c:9a40:100f:370::1 as 34927;
|
||||||
|
}
|
||||||
|
|
||||||
protocol bgp upstream6_frysix_he from upstream_bgp6 {
|
protocol bgp upstream6_frysix_he from upstream_bgp6 {
|
||||||
description "Hurricane Electric (on Frys-IX, IPv6)";
|
description "Hurricane Electric (on Frys-IX, IPv6)";
|
||||||
neighbor 2001:7f8:10f::1b1b:154 as 6939;
|
neighbor 2001:7f8:10f::1b1b:154 as 6939;
|
||||||
@ -225,6 +230,55 @@ in
|
|||||||
description "Hurricane Electric (on Frys-IX, IPv4)";
|
description "Hurricane Electric (on Frys-IX, IPv4)";
|
||||||
neighbor 185.1.203.154 as 6939;
|
neighbor 185.1.203.154 as 6939;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protocol bgp ixp4_nlix_rs1 from ixp_bgp4 {
|
||||||
|
description "NL-ix route server 1 (IPv4)";
|
||||||
|
neighbor 193.239.116.255 as 34307;
|
||||||
|
}
|
||||||
|
protocol bgp ixp6_nlix_rs1 from ixp_bgp6 {
|
||||||
|
description "NL-ix route server 1 (IPv6)";
|
||||||
|
neighbor 2001:7f8:13::a503:4307:1 as 34307;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ixp4_nlix_rs2 from ixp_bgp4 {
|
||||||
|
description "NL-ix route server 2 (IPv4)";
|
||||||
|
neighbor 193.239.117.0 as 34307;
|
||||||
|
}
|
||||||
|
protocol bgp ixp6_nlix_rs2 from ixp_bgp6 {
|
||||||
|
description "NL-ix route server 2 (IPv6)";
|
||||||
|
neighbor 2001:7f8:13::a503:4307:2 as 34307;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
|
||||||
|
description "Cloudflare NL-ix 1 (IPv6)";
|
||||||
|
neighbor 2001:7f8:13::a501:3335:1 as 13335;
|
||||||
|
}
|
||||||
|
protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
|
||||||
|
description "Cloudflare NL-ix 2 (IPv6)";
|
||||||
|
neighbor 2001:7f8:13::a501:3335:2 as 13335;
|
||||||
|
}
|
||||||
|
protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
|
||||||
|
description "Cloudflare NL-ix 3 (IPv6)";
|
||||||
|
neighbor 2001:7f8:13::a501:3335:3 as 13335;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ixp4_fogixp_rs1 from ixp_bgp4 {
|
||||||
|
description "FogIXP route server 1 (IPv4)";
|
||||||
|
neighbor 185.1.147.111 as 47498;
|
||||||
|
}
|
||||||
|
protocol bgp ixp6_fogixp_rs1 from ixp_bgp6 {
|
||||||
|
description "FogIXP route server 1 (IPv6)";
|
||||||
|
neighbor 2001:7f8:ca:1::111 as 47498;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ixp4_fogixp_rs2 from ixp_bgp4 {
|
||||||
|
description "FogIXP route server 2 (IPv4)";
|
||||||
|
neighbor 185.1.147.222 as 47498;
|
||||||
|
}
|
||||||
|
protocol bgp ixp6_fogixp_rs2 from ixp_bgp6 {
|
||||||
|
description "FogIXP route server 2 (IPv6)";
|
||||||
|
neighbor 2001:7f8:ca:1::222 as 47498;
|
||||||
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -148,22 +148,26 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
netdevs = {
|
netdevs =
|
||||||
"25-frys-ix-base" = {
|
let
|
||||||
netdevConfig = {
|
mkVLAN = name: vid: {
|
||||||
Name = "frys-ix-base";
|
"25-${name}" = {
|
||||||
Kind = "vlan";
|
netdevConfig = {
|
||||||
|
Name = name;
|
||||||
|
Kind = "vlan";
|
||||||
|
};
|
||||||
|
vlanConfig.Id = vid;
|
||||||
};
|
};
|
||||||
vlanConfig.Id = 409;
|
|
||||||
};
|
};
|
||||||
"25-frys-ix" = {
|
in
|
||||||
netdevConfig = {
|
mkMerge [
|
||||||
Name = "frys-ix";
|
(mkVLAN "ifog" 409)
|
||||||
Kind = "vlan";
|
|
||||||
};
|
(mkVLAN "frys-ix" 701)
|
||||||
vlanConfig.Id = 2604;
|
(mkVLAN "nl-ix" 1845)
|
||||||
};
|
(mkVLAN "fogixp" 1147)
|
||||||
};
|
(mkVLAN "ifog-transit" 702)
|
||||||
|
];
|
||||||
|
|
||||||
links = {
|
links = {
|
||||||
"10-wan" = {
|
"10-wan" = {
|
||||||
@ -192,10 +196,31 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networks = {
|
networks =
|
||||||
|
let
|
||||||
|
mkIXPConfig = name: ipv4: ipv6: {
|
||||||
|
"85-${name}" = {
|
||||||
|
matchConfig.Name = name;
|
||||||
|
address = [ ipv4 ipv6 ];
|
||||||
|
linkConfig.MTUBytes = "1500";
|
||||||
|
networkConfig = {
|
||||||
|
DHCP = "no";
|
||||||
|
LLDP = false;
|
||||||
|
EmitLLDP = false;
|
||||||
|
IPv6AcceptRA = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
mkMerge
|
||||||
|
[
|
||||||
|
(mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
|
||||||
|
(mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
|
||||||
|
(mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
|
||||||
|
{
|
||||||
"80-wan" = {
|
"80-wan" = {
|
||||||
matchConfig.Name = "wan";
|
matchConfig.Name = "wan";
|
||||||
vlan = [ "frys-ix-base" ];
|
vlan = [ "ifog" ];
|
||||||
DHCP = "no";
|
DHCP = "no";
|
||||||
address = with assignments.internal; [
|
address = with assignments.internal; [
|
||||||
(with ipv4; "${address}/${toString mask}")
|
(with ipv4; "${address}/${toString mask}")
|
||||||
@ -212,12 +237,12 @@ in
|
|||||||
IPv6AcceptRA = false;
|
IPv6AcceptRA = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"85-frys-ix-base" = {
|
"85-ifog" = {
|
||||||
matchConfig = {
|
matchConfig = {
|
||||||
Name = "frys-ix-base";
|
Name = "ifog";
|
||||||
Kind = "vlan";
|
Kind = "vlan";
|
||||||
};
|
};
|
||||||
vlan = [ "frys-ix" ];
|
vlan = [ "frys-ix" "nl-ix" "fogixp" "ifog-transit" ];
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
LinkLocalAddressing = "no";
|
LinkLocalAddressing = "no";
|
||||||
DHCP = "no";
|
DHCP = "no";
|
||||||
@ -226,12 +251,10 @@ in
|
|||||||
IPv6AcceptRA = false;
|
IPv6AcceptRA = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"85-frys-ix" = {
|
"85-ifog-transit" = {
|
||||||
matchConfig.Name = "frys-ix";
|
matchConfig.Name = "ifog-transit";
|
||||||
address = [
|
address = [ "2a0c:9a40:100f:370::2/64" ];
|
||||||
"185.1.203.196/24"
|
linkConfig.MTUBytes = "1500";
|
||||||
"2001:7f8:10f::3:3850:196/64"
|
|
||||||
];
|
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
DHCP = "no";
|
DHCP = "no";
|
||||||
LLDP = false;
|
LLDP = false;
|
||||||
@ -280,7 +303,7 @@ in
|
|||||||
];
|
];
|
||||||
networkConfig.IPv6AcceptRA = false;
|
networkConfig.IPv6AcceptRA = false;
|
||||||
};
|
};
|
||||||
};
|
} ];
|
||||||
};
|
};
|
||||||
|
|
||||||
my = {
|
my = {
|
||||||
@ -330,6 +353,8 @@ in
|
|||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
''
|
''
|
||||||
|
define ixps = { frys-ix, nl-ix, fogixp, ifog-transit }
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain routing-tcp {
|
chain routing-tcp {
|
||||||
# Safe enough to allow all SSH
|
# Safe enough to allow all SSH
|
||||||
@ -354,13 +379,14 @@ in
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
iifname { wan, frys-ix } oifname base jump filter-routing
|
iifname wan oifname base jump filter-routing
|
||||||
oifname frys-ix jump ixp
|
iifname ixps oifname base jump filter-routing
|
||||||
|
oifname ixps jump ixp
|
||||||
oifname as211024 accept
|
oifname as211024 accept
|
||||||
}
|
}
|
||||||
chain output {
|
chain output {
|
||||||
oifname frys-ix-base ether type != vlan reject
|
oifname ifog ether type != vlan reject
|
||||||
oifname frys-ix jump ixp
|
oifname ixps jump ixp
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
table inet nat {
|
table inet nat {
|
||||||
|
Loading…
Reference in New Issue
Block a user