{ ... }:

{

  ## Gastnetz
  networking.vlans."enp1s0.202" = {
    id = 202;
    interface = "enp1s0";
  };
  networking.interfaces."enp1s0.202".ipv6.addresses = [
    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
    { address = "2001:4cd8:100:1313::1"; prefixLength = 64; } # public IPs for local network
  ];
  networking.interfaces."enp1s0.202".ipv4.addresses = [
    { address = "192.168.32.1"; prefixLength = 24; }
  ];

  services.radvd.config = ''
    interface enp1s0.202 {
      AdvSendAdvert on;
      prefix 2001:4cd8:100:1313::/64 {};
      RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
    };
  '';

  services.kea.dhcp4 = {
    settings = {
      interfaces-config = {
        interfaces = [ "enp1s0.202" ];
      };
      subnet4 = [
        # Gastnetz
        {
          id = 202;
          subnet = "192.168.32.0/24";
          pools = [
            {
              pool = "192.168.32.100 - 192.168.32.240";
            }
          ];
          option-data = [
            {
              name = "routers";
              data = "192.168.32.1";
            }
            {
              name = "domain-name-servers";
              data = "9.9.9.9,149.112.112.112"; # Quad 9
            }
          ];
        }
      ];
    };
  };

  # net-gastnetz can only access internet
  clerie.firewall.extraForwardFilterCommands = ''
    ip46tables -A forward-filter -i enp1s0.202 -o ppp-dtagdsl -j ACCEPT
    ip46tables -A forward-filter -i enp1s0.202 -j DROP
    ip46tables -A forward-filter -o enp1s0.202 -j DROP
  '';

}