| 24 Dec 2025 |
 emily | dnscrypt-proxy2 can itself do blocking IIRC | 05:07:48 |
 magic_rb | I dont want blocking as a feature. I have ublock everywhere and dont run much proprietary software | 08:36:49 |
 Pratham Patel | At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
| 08:57:37 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:24 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:49 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:04:06 |
| 19 May 2021 |
|  @grahamc:nixos.org set the history visibility to "world_readable". | 19:20:58 |
| @grahamc:nixos.org changed the room name to "" from "". | 19:20:58 |
| @grahamc:nixos.org invited  casey ©. | 19:21:08 |
| casey © joined the room. | 19:21:17 |
|  [0x4A6F] joined the room. | 19:23:16 |
|  Alyssa Ross joined the room. | 19:26:50 |
|  hexa joined the room. | 19:27:05 |
|  andi- joined the room. | 19:40:47 |
|  n0emis joined the room. | 19:42:15 |
|  Server Stats Discoverer (traveler bot) joined the room. | 19:50:53 |
|  Matrix Traveler (bot) joined the room. | 20:03:52 |
|  scott joined the room. | 20:48:39 |
|  risson joined the room. | 21:05:43 |
|  abgn joined the room. | 21:41:00 |
|  Andreas Schrägle joined the room. | 22:59:41 |
| 20 May 2021 |
|  jul1u5 joined the room. | 00:23:09 |
|  vika (she/her) 🏳️⚧️ joined the room. | 00:50:28 |
|  thefloweringash joined the room. | 01:34:38 |
|  finn joined the room. | 05:01:16 |
|  colemickens 🏳️🌈 joined the room. | 06:18:26 |
|  srhb joined the room. | 06:22:50 |
|  ma27 joined the room. | 07:41:21 |
|  primeos joined the room. | 10:31:04 |
|  flokli joined the room. | 10:31:42 |
