Hi!

I’m trying to make a DIY router. I used configs from some online guides (the nftables one is from the project’s website), but nothing happens when I connect a different machine. I know that description doesn’t say much, so I’d like to know how can I check what’s actually wrong. My system (Guix) config is below:

(use-modules (gnu))
(use-service-modules cups desktop networking ssh xorg sysctl linux dns)

(define wan "enp0s29u1u5")

(define lan "enp0s25")

(define dnsmasq-config
  "# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
port=53
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
strict-order
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the \"domain\" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for \"expand-hosts\"
#domain=thekelleys.org.uk
domain=example.com

# Set Listen address
listen-address=127.0.0.1 # Set to Server IP for network responses

dhcp-range=192.168.3.25,192.168.3.50,24h
dhcp-option=option:router,192.168.3.1
dhcp-option=option:ntp-server,192.168.3.5
dhcp-option=option:dns-server,192.168.3.5
dhcp-option=option:netmask,255.255.255.0
")

(define nftables-config
  (format #f
	  "flush ruleset

define DEV_PRIVATE = ~a
define DEV_WORLD = ~a
define NET_PRIVATE = 192.168.0.0/16

table ip global {

    chain inbound_world {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmp type echo-request limit rate 5/second accept

        # allow SSH connections from some well-known internet host
        ip saddr 81.209.165.42 tcp dport ssh accept
    }

    chain inbound_private {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        icmp type echo-request limit rate 5/second accept

        # allow DHCP, DNS and SSH from the private network
        ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
    }

    chain inbound {
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # allow loopback traffic, anything else jump to chain for further evaluation
        iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }

        # the rest is dropped by the above policy
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

        # connections from the internal net to the internet or to other
        # internal nets are allowed
        iifname $DEV_PRIVATE accept

        # the rest is dropped by the above policy
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        # masquerade private IP addresses
        ip saddr $NET_PRIVATE oifname $DEV_WORLD masquerade
    }
}
" lan wan))

(operating-system
 (locale "en_GB.utf8")
 (timezone "Europe/Warsaw")
 (keyboard-layout (keyboard-layout "pl" "legacy" #:options '("ctrl:nocaps")))
 (host-name "router")

 (kernel-arguments
  (list
   "modprobe.blacklist=pcspkr,snd_pcsp"))
 
 ;; The list of user accounts ('root' is implicit).
 (users (cons* (user-account
                (name "formbi")
                (comment "Formbi")
                (group "users")
                (home-directory "/home/formbi")
                (supplementary-groups '("wheel" "netdev" "audio" "video")))
               %base-user-accounts))

 ;; Packages installed system-wide.  Users can also install packages
 ;; under their own account: use 'guix search KEYWORD' to search
 ;; for packages and 'guix install PACKAGE' to install a package.
 (packages
  (append (list (specification->package "nss-certs"))
                   %base-packages))

 ;; Below is the list of system services.  To search for available
 ;; services, run 'guix system search KEYWORD' in a terminal.
 (services
  (append (list
	   (service xfce-desktop-service-type)
	   (service guix-publish-service-type
		    (guix-publish-configuration
		     (port 2137)
		     (advertise? #t)))
	   (service earlyoom-service-type
		    (earlyoom-configuration
		     (avoid-regexp "emacs")
		     (minimum-available-memory 5)
		     (minimum-free-swap 20)))

           (service openssh-service-type)
           (service cups-service-type)

	   (service dnsmasq-service-type)

	   (extra-special-file "/etc/dnsmasq.conf"
			       (plain-file "dnsmasq.conf" dnsmasq-config))

	   (service nftables-service-type
		    (nftables-configuration
		     (ruleset (plain-file "nftables.conf" nftables-config))))


	   (set-xorg-configuration
            (xorg-configuration (keyboard-layout keyboard-layout))))

          ;; This is the default list of services we
          ;; are appending to.
	  (modify-services
	   %desktop-services
	   
	   (sysctl-service-type
	    config =>
	    (sysctl-configuration
	     (settings (append '(("vm.swappiness" . "10")
				 ("net.ipv4.ip_forward" . "1"))
			       %default-sysctl-settings))))

	   (network-manager-service-type
	    config =>
	    (network-manager-configuration
					;(dns "dnsmasq")
	     ))
	   
	   (guix-service-type
	    config =>
	    (guix-configuration
	     (discover? #t))))))
 
 (bootloader (bootloader-configuration
              (bootloader grub-bootloader)
              (targets (list "/dev/sda"))
              (keyboard-layout keyboard-layout)))
 (swap-devices (list (swap-space
                      (target (uuid
                               "a32aa366-c966-460f-9592-2a08c5cad947")))))

 ;; The list of file systems that get "mounted".  The unique
 ;; file system identifiers there ("UUIDs") can be obtained
 ;; by running 'blkid' in a terminal.
 (file-systems (cons* (file-system
                       (mount-point "/")
                       (device (uuid
                                "30b3a834-f23e-42ad-addf-0cde5538a96f"
                                'ext4))
                       (type "ext4")) %base-file-systems)))
  • Formbi@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 years ago

    I connect a different device with a cable and I expect it would get an internet connection or at least a local connection. But, well, nothing happens. There are no messages in dmesg or /var/log/messages on both machines either.

    • Helix 🧬@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      Did you enable the interface on both sides? Which IPs do both systems have? Is the cable working fine?