{ ... }:

{

  ## Gastnetz
  networking.vlans."enp1s0.202" = {
    id = 202;
    interface = "enp1s0";
  };
  networking.bridges."net-gastnetz".interfaces = [
    "enp1s0.202"
  ];
  networking.interfaces."net-gastnetz".ipv6.addresses = [
    { address = "fd00:3214:9453:4920::1"; prefixLength = 64; }
  ];
  networking.interfaces."net-gastnetz".ipv4.addresses = [
    { address = "192.168.32.1"; prefixLength = 24; }
  ];

  services.radvd.config = ''
    interface net-gastnetz {
      AdvSendAdvert on;
      MaxRtrAdvInterval 30;
      prefix ::/64 {
        AdvValidLifetime 300;
        AdvPreferredLifetime 120;
      };
      RDNSS 2620:fe::fe 2620:fe::9 {}; # Quad 9
    };
  '';

  services.kea.dhcp4 = {
    settings = {
      interfaces-config = {
        interfaces = [ "net-gastnetz" ];
      };
      subnet4 = [
        # Gastnetz
        {
          id = 202;
          subnet = "192.168.32.0/24";
          pools = [
            {
              pool = "192.168.32.100 - 192.168.32.240";
            }
          ];
          option-data = [
            {
              name = "routers";
              data = "192.168.32.1";
            }
            {
              name = "domain-name-servers";
              data = "9.9.9.9,149.112.112.112"; # Quad 9
            }
          ];
        }
      ];
    };
  };

  # net-gastnetz can only access internet
  clerie.firewall.extraForwardFilterCommands = ''
    ip46tables -A forward-filter -i net-gastnetz -o ppp-dtagdsl -j ACCEPT
    ip46tables -A forward-filter -i net-gastnetz -j DROP
    ip46tables -A forward-filter -o net-gastnetz -j DROP
  '';

}