| 24 Dec 2025 |
 Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:04:06 |
|  pltrz joined the room. | 12:41:07 |
 Acid Bong | does systemd-resolved support secret configs? judging by man resolved.conf, it only accepts entries from systemd/resolved.conf[.d/*.conf] | 16:46:31 |
 Autiboy | You might be able to use agenix | 16:52:57 |
| Acid Bong | i already use sops-nix, how would it be different? | 16:54:13 |
| Autiboy | It shouldn't be that different | 16:56:29 |
| Acid Bong | but does resolved support configs from outside /etc/systemd? | 16:56:52 |
| Autiboy | I don't know. But if your trying to specify a secrets file in a unit you can use extraConfig | 16:59:05 |
 Marcel | Sops also supports installing secrets so any location. Not just /run/secrets | 16:59:36 |
| Acid Bong | ah, TIL | 17:00:36 |
| Marcel | * | 17:18:50 |
| Acid Bong | on a semi-related note, I want to use NextDNS without its client, which option of the listed ones (Resolved, Dnsmasq, Stubby, DNScrypt, Kresd, Cloudflared, Unbound) is the most convenient/fitting for a laptop-only setup? | 17:27:17 |
| Acid Bong | * on a semi-related note, I want to use NextDNS without its client, which option of the listed ones (Resolved, Dnsmasq, Stubby, DNScrypt, Kresd, Cloudflared, Unbound) is the most convenient/fitting for a laptop-only setup, with ot without considering NixOS? | 17:28:44 |
 K900 | resolved is definitely the least work | 17:33:35 |
| Acid Bong | and already integrates with NetworkManager | 17:34:25 |
| Acid Bong | (but so does Dnsmasq 🤔 ) | 17:34:40 |
| Acid Bong | ight, the resolved config works well, only one moment: why are some queries detected both from my laptop (DNS-over-TLS + custom ID) and from my router (plain IP)? | 20:34:50 |
| 19 May 2021 |
|  @grahamc:nixos.org set the history visibility to "world_readable". | 19:20:58 |
| @grahamc:nixos.org changed the room name to "" from "". | 19:20:58 |
| @grahamc:nixos.org invited  casey ©. | 19:21:08 |
| casey © joined the room. | 19:21:17 |
|  [0x4A6F] joined the room. | 19:23:16 |
|  Alyssa Ross joined the room. | 19:26:50 |
|  hexa joined the room. | 19:27:05 |
|  andi- joined the room. | 19:40:47 |
|  n0emis joined the room. | 19:42:15 |
|  Server Stats Discoverer (traveler bot) joined the room. | 19:50:53 |
|  Matrix Traveler (bot) joined the room. | 20:03:52 |
|  scott joined the room. | 20:48:39 |
|  risson joined the room. | 21:05:43 |
