!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

877 Members
Declaratively manage your switching, routing, wireless, tunneling and more. | Don't rely on `networking.*` for interface and routing setup, use systemd-networkd, ifstate or NetworkManager instead. | Set `SYSTEMD_LOG_LEVEL=debug` to debug networking issues with networkd | No bad nft puns, please. | Room recommendations: #sysops:nixos.org256 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
22 Dec 2025
@woobilicious:matrix.orgwoobiliciousAnyone here run a custom sinkhole (i.e. pi-hole) setup for bind9 or similar? Not a fan of pi-hole since it's just a fork of dnsmasq, with all its limitations, and I wanted to setup encrypted dns stuff06:19:55
@magic_rb:matrix.redalder.orgmagic_rbI do bind9 on top of dnscrypt-proxy209:06:01
@cinerealkiara:matrix.org@cinerealkiara:matrix.org left the room.11:08:09
@acidbong:envs.net@acidbong:envs.netwhen NetworkManager uses Resolved or Dnsmasq as a backend, do they run continuously or only update resolv.conf when called?16:05:10
@k900:0upti.meK900They are resolvers16:05:59
@k900:0upti.meK900They don't manage resolv.conf because resolv.conf is not sufficient to express the logic they implement16:06:10
@acidbong:envs.net@acidbong:envs.netgot it16:11:56
@acidbong:envs.net@acidbong:envs.netso they run in the background?16:12:06
@k900:0upti.meK900Yes16:12:10
@k900:0upti.meK900There's a daemon running in the background16:12:16
@acidbong:envs.net@acidbong:envs.netnow NixOS-specific: why does Resolved module sets NetworkManager resolver, but Dnsmasq doesn't?17:01:52
@k900:0upti.meK900Because dnsmasq is weird and NM runs its own17:04:27
24 Dec 2025
@woobilicious:matrix.orgwoobiliciousThinking I might use unbound since it's easier to configure, and then setup a service that periodically pulls adblock lists and adds them as a blacklist, dnscrypt seems like the technical better solution since it's udp based, but DoT seems more wildly supported04:59:23
@emilazy:matrix.orgemilydnscrypt-proxy2 can itself do blocking IIRC05:07:48
@magic_rb:matrix.redalder.orgmagic_rbI dont want blocking as a feature. I have ublock everywhere and dont run much proprietary software08:36:49
@thefossguy:matrix.orgPratham Patel

At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.

I believe that this setup will require the following additional rules to the forward chain in the router-fw table:

iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop

iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept

iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept

And also require a new output chain in the router-fw table:

chain output {
    type filter hook output priority filter; policy accept;
    accept
}

This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?

08:57:37
@thefossguy:matrix.orgPratham Patel *

At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.

I believe that this setup will require the following additional rules to the forward chain in the router-fw table:

iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop

iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept

iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept

And also require a new output chain in the router-fw table:

chain output {
    type filter hook output priority filter; policy accept;
    accept
}

This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?

(edit: switched git reference from master to a specific commit)

09:02:24

Show newer messages

Back to Room ListRoom Version: 6