router(host): configure public (v4) network

resources/chaosknoten/router/nftables/nftables.conf

@@ -7,14 +7,19 @@ define if_net1_v4_wan = "net1"
 define if_net2_v6_wan = "net2"
 define if_net0_2_v4_nat = "net0.2"
 define if_net0_3_ci_runner = "net0.3"
+define if_net0_5_public = "net0.5"
 
 # Interface Groups
 define wan_ifs = { $if_net1_v4_wan,
                    $if_net2_v6_wan }
 define lan_ifs = { $if_net0_2_v4_nat,
-                   $if_net0_3_ci_runner }
-# define v4_exposed_ifs = { }
-define v6_exposed_ifs = { $if_net0_2_v4_nat }
+                   $if_net0_3_ci_runner,
+                   $if_net0_5_public }
+define v4_exposed_ifs = { $if_net0_5_public }
+define v6_exposed_ifs = { $if_net0_2_v4_nat,
+                          $if_net0_5_public }
+define v4_nat_ifs = { $if_net0_2_v4_nat,
+                      $if_net0_3_ci_runner }
 
 
 ## Rules
@@ -73,7 +78,7 @@ table ip v4nat {
     chain postrouting {
         type nat hook postrouting priority srcnat; policy accept;
 
-        oifname $if_net1_v4_wan masquerade
+        iifname $v4_nat_ifs oifname $if_net1_v4_wan masquerade
     }
 }
 
@@ -89,7 +94,7 @@ table inet forward {
 		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
 
         # Allow access to exposed networks from internet.
-        # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
         meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
     }
 }

resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev

@@ -0,0 +1,6 @@
+[NetDev]
+Name=net0.5
+Kind=vlan
+
+[VLAN]
+Id=5

resources/chaosknoten/router/systemd_networkd/20-net0.network

@@ -7,6 +7,6 @@ RequiredForOnline=no
 [Network]
 VLAN=net0.2
 VLAN=net0.3
+VLAN=net0.5
 
 LinkLocalAddressing=no
-

resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network

@@ -0,0 +1,23 @@
+[Match]
+Name=net0.5
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=public
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+[Address]
+Address=212.12.50.209/29
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:105::/64
+Assign=true
+Token=static:::1