From 661ad14948415f5f552b2c9fe33ae6422858e9bf Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 24 Apr 2026 10:17:06 +0100 Subject: [PATCH] router: trust the legacy eero subnet on eno1 during phase 1 Without this, the default-drop input policy blocked SSH and AdGuard DNS from existing 192.168.4.x clients because they arrive on eno1 (still acting as a client on the eero network until phase 2 cutover). The trustedLegacyCidrs list is meant to be emptied in phase 2 when eno1 becomes the ISP-facing WAN. Co-Authored-By: Claude Opus 4.7 --- services/router.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/services/router.nix b/services/router.nix index bbf88e8..344ad9e 100644 --- a/services/router.nix +++ b/services/router.nix @@ -17,6 +17,17 @@ let portsData = builtins.fromTOML (builtins.readFile ../ports.toml); destDefault = portsData.dest_default; + # Phase 1 transition: the mediaserver is still a DHCP client on the eero's + # network (192.168.4.0/22), and existing clients reach it via eno1. Trust + # those subnets as input sources so SSH + AdGuard DNS keep working. + # After cutover to eero bridge mode (phase 2), set this to [] — eno1 + # becomes strictly WAN-only. + trustedLegacyCidrs = [ "192.168.4.0/22" ]; + + legacyTrustRules = lib.concatMapStringsSep "\n " + (cidr: ''iifname "eno1" ip saddr ${cidr} accept'') + trustedLegacyCidrs; + # Expand "both" into [tcp, udp]; normalise port vs ports; default dest. expandForward = entry: let @@ -95,6 +106,9 @@ in iifname "lo" accept # LAN is trusted iifname "eth0" accept + # Phase 1: also trust the existing eero subnet on eno1 so SSH + # and AdGuard DNS keep working during the transition. + ${legacyTrustRules} # ICMP from anywhere (ping, path-MTU) icmp type echo-request accept icmpv6 type echo-request accept