| 24 Dec 2025 |
 Pratham Patel | At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
| 08:57:37 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:24 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:02:49 |
| Pratham Patel | * At the moment, I have a very simple firewall rule for my router to ensure traffic between private and guest networks don't ever interfere. The configuration for that is here. Additionally, I have a helper function of sorts to create wireguard interfaces. Given I'm very new to firewall rules and routing, I'm not sure how to ensure that all traffic from the private network is routed via the wireguard interface but the guest network's traffic exits without ever touching the wireguard interface. Let's call it wg0 on the router.
I believe that this setup will require the following additional rules to the forward chain in the router-fw table:
iifname "isolated" oifname "wg0" drop
iifname "wg0" oifname "isolated" drop
iifname "trusted" oifname "wg0" accept
iifname "wg0" oifname "trusted" accept
iifname "wg0" oifname "wan" accept
iifname "wan" oifname "wg0" accept
And also require a new output chain in the router-fw table:
chain output {
type filter hook output priority filter; policy accept;
accept
}
This is what I have come up with so far. Is there anything else that I'm missing, or doing wrong?
(edit: switched git reference from master to a specific commit)
| 09:04:06 |
|  pltrz joined the room. | 12:41:07 |
 Acid Bong | does systemd-resolved support secret configs? judging by man resolved.conf, it only accepts entries from systemd/resolved.conf[.d/*.conf] | 16:46:31 |
 Autiboy | You might be able to use agenix | 16:52:57 |
| Acid Bong | i already use sops-nix, how would it be different? | 16:54:13 |
| Autiboy | It shouldn't be that different | 16:56:29 |
| Acid Bong | but does resolved support configs from outside /etc/systemd? | 16:56:52 |
| Autiboy | I don't know. But if your trying to specify a secrets file in a unit you can use extraConfig | 16:59:05 |
 Marcel | Sops also supports installing secrets so any location. Not just /run/secrets | 16:59:36 |
| Acid Bong | ah, TIL | 17:00:36 |
| Marcel | * | 17:18:50 |
| Acid Bong | on a semi-related note, I want to use NextDNS without its client, which option of the listed ones (Resolved, Dnsmasq, Stubby, DNScrypt, Kresd, Cloudflared, Unbound) is the most convenient/fitting for a laptop-only setup? | 17:27:17 |
| Acid Bong | * on a semi-related note, I want to use NextDNS without its client, which option of the listed ones (Resolved, Dnsmasq, Stubby, DNScrypt, Kresd, Cloudflared, Unbound) is the most convenient/fitting for a laptop-only setup, with ot without considering NixOS? | 17:28:44 |
 K900 | resolved is definitely the least work | 17:33:35 |
| Acid Bong | and already integrates with NetworkManager | 17:34:25 |
| Acid Bong | (but so does Dnsmasq 🤔 ) | 17:34:40 |
| Acid Bong | ight, the resolved config works well, only one moment: why are some queries detected both from my laptop (DNS-over-TLS + custom ID) and from my router (plain IP)? | 20:34:50 |
| 25 Dec 2025 |
 Sandro 🐧 | And integrates well with split vpns like tailscale | 09:09:04 |
| 26 Dec 2025 |
|  dan_nrw changed their profile picture. | 09:48:52 |
|  isabel changed their profile picture. | 11:37:12 |
|  jasper @ 39c3 ☎️ 62749 changed their display name from jappie to jappie @ 39c3. | 15:49:41 |
|  aktaboot changed their profile picture. | 19:25:48 |
| 27 Dec 2025 |
|  rprice7443 joined the room. | 08:12:44 |
| jasper @ 39c3 ☎️ 62749 changed their display name from jappie @ 39c3 to jasper @ 39c3 ☎️ 62749. | 13:30:50 |
|  matthewcroughan @ 39c3 (DECT 94667 or 97340 or 67192) changed their display name from matthewcroughan to matthewcroughan @ 39c3 (DECT 94667 or 97340 or 67192). | 14:49:28 |
|  Nyte changed their display name from realnyte to Nyte. | 21:20:47 |
| 28 Dec 2025 |
|  Pistorius Amartacus joined the room. | 10:40:39 |
