| 19 Dec 2025 |
 kraftnix | specifically for .local i would not recommend using that domain name/tld since it conflicts with mDNS and you get differing and strange behaviours across different platforms and it can be hard to debug issues.
as k900 mentioned, id use a tld under arpa or your own custom ending can work too, if you are already using resolved, you can indicate all domains under .mywhatevertld to go to a specific dns server using Domains=~mywhatevertld in the networkd unit
| 08:25:47 |
 n4ch723hr3r (putting stuff in your name is cringe) | .local was an example, but thx for the info | 08:29:18 |
 emily | use .internal | 08:36:47 |
| emily | it is reserved by ICANN unlike every other such name | 08:37:00 |
| emily | (.home.arpa is probably fine too since it's RFC-reserved, though it's uglier) | 08:38:18 |
| emily | * (.home.arpa is probably fine too since it's RFC-reserved, though it's uglier) | 08:38:36 |
 Nigel | Sorry, trying to follow and learn, is WG wireguard? | 12:28:42 |
 magic_rb | Ye | 12:29:46 |
|  Frédéric Christ (back on 02.01.) changed their display name from Frédéric Christ to Frédéric Christ (back on 02.01.). | 15:15:40 |
 Vera Gradient | for some reason podman isn't setting its own route_localnet to 1 anymore for me, has anyone ran into this? for now I've fixed it by setting it manually on my sysctl config but I'm certain this should be set automatically in the first place | 16:52:32 |
| 22 Dec 2025 |
 Autiboy | What version of nixos? | 01:59:31 |
 woobilicious | Anyone here run a custom sinkhole (i.e. pi-hole) setup for bind9 or similar? Not a fan of pi-hole since it's just a fork of dnsmasq, with all its limitations, and I wanted to setup encrypted dns stuff | 06:19:55 |
| magic_rb | I do bind9 on top of dnscrypt-proxy2 | 09:06:01 |
|  @cinerealkiara:matrix.org left the room. | 11:08:09 |
 Acid Bong | when NetworkManager uses Resolved or Dnsmasq as a backend, do they run continuously or only update resolv.conf when called? | 16:05:10 |
 K900 | They are resolvers | 16:05:59 |
| K900 | They don't manage resolv.conf because resolv.conf is not sufficient to express the logic they implement | 16:06:10 |
| Acid Bong | got it | 16:11:56 |
| Acid Bong | so they run in the background? | 16:12:06 |
| K900 | Yes | 16:12:10 |
| K900 | There's a daemon running in the background | 16:12:16 |
| Acid Bong | now NixOS-specific: why does Resolved module sets NetworkManager resolver, but Dnsmasq doesn't? | 17:01:52 |
| K900 | Because dnsmasq is weird and NM runs its own | 17:04:27 |
| 24 Dec 2025 |
| woobilicious | Thinking I might use unbound since it's easier to configure, and then setup a service that periodically pulls adblock lists and adds them as a blacklist, dnscrypt seems like the technical better solution since it's udp based, but DoT seems more wildly supported | 04:59:23 |
| emily | dnscrypt-proxy2 can itself do blocking IIRC | 05:07:48 |
| magic_rb | I dont want blocking as a feature. I have ublock everywhere and dont run much proprietary software | 08:36:49 |
 Pratham Patel | At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
| 08:57:37 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:24 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:49 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:04:06 |
