hosts/carbon: Don't send IPv4 to ppp tunnel

profiles/router: Add applications to debug conntrack more
pkgs/ds-lite-dhcpcd-hook: Netcologne can't handle Tunnel Encapsulation Limit, so don't send these options in the DS-Lite tunnel
2025-11-21 18:33:42 +01:00 · 2025-11-21 18:28:42 +01:00 · 2025-11-20 20:03:38 +01:00
3 changed files with 11 additions and 3 deletions
--- a/hosts/carbon/ppp-ncfttb.nix
+++ b/hosts/carbon/ppp-ncfttb.nix
@@ -60,4 +60,10 @@
    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  '';
  networking.firewall.extraCommands = ''
    # Reject all IPv4 traffic that tries to enter and leave the PPP tunnel
    iptables -I INPUT -i ppp-ncfttb -j DROP
    iptables -I OUTPUT -o ppp-ncfttb -j DROP
  '';
 }
--- a/pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh
+++ b/pkgs/ds-lite-dhcpcd-hook/ds-lite-dhcpcd-hook.sh
@@ -83,7 +83,7 @@ if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")";
 	if [[ "${TUNNEL_INTERFACE_ORIGIN_ADDRESS}" != "${WAN_INTERFACE_ADDRESS}" || "${TUNNEL_INTERFACE_REMOTE_ADDRESS}" != "${AFTR_ADDRESS}" || "${TUNNEL_INTERFACE_OPERSTATE}" != "UNKNOWN" ]]; then
 		log_tunnel "Bad configuration, fixing tunnel parameter"
-		ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+		ip tunnel change "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}" encaplimit none
 		ip link set "$TUNNEL_INTERFACE_NAME" up
 	else
 		log_tunnel "Tunnel already configured"
@@ -91,7 +91,7 @@ if TUNNEL_INTERFACE_CONFIG="$(ip --json link show "${TUNNEL_INTERFACE_NAME}")";
 else
 	log_tunnel "Setting up DS-Lite tunnel"
-	ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}"
+	ip tunnel add "${TUNNEL_INTERFACE_NAME}" mode ipip6 local "${WAN_INTERFACE_ADDRESS}" remote "${AFTR_ADDRESS}" encaplimit none
 	ip link set "$TUNNEL_INTERFACE_NAME" up
 fi
--- a/profiles/router/default.nix
+++ b/profiles/router/default.nix
@@ -11,8 +11,10 @@ with lib;
  config = mkIf config.profiles.clerie.router.enable {
    environment.systemPackages = with pkgs; [
-      wireguard-tools
+      conntrack-tools
      iptstate # show conntrack table
      tcpdump
      wireguard-tools
    ];
    boot.kernel.sysctl = {
Author	SHA1	Message	Date
clerie	bd1716eb23	hosts/carbon: Don't send IPv4 to ppp tunnel	2025-11-21 18:33:42 +01:00
clerie	a5125e92a6	profiles/router: Add applications to debug conntrack more	2025-11-21 18:28:42 +01:00
clerie	2606338b56	pkgs/ds-lite-dhcpcd-hook: Netcologne can't handle Tunnel Encapsulation Limit, so don't send these options in the DS-Lite tunnel	2025-11-20 20:03:38 +01:00