From 880435bcaf4446474ce025a89d9639b68ab88d59 Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 27 Mar 2026 15:51:41 -0500
Subject: simplify and fix routing module

---
 nixos/services/router/routing.nix | 62 ++++++++++++---------------------------
 1 file changed, 19 insertions(+), 43 deletions(-)

diff --git a/nixos/services/router/routing.nix b/nixos/services/router/routing.nix
index c0c49e6..25d91dd 100644
--- a/nixos/services/router/routing.nix
+++ b/nixos/services/router/routing.nix
@@ -9,6 +9,7 @@ in {
 				default = "";
 				description = "wan interface";
 			};
+			# TODO allow multiple lan
 			lan = lib.mkOption {
 				type = lib.types.str;
 				default = "";
@@ -18,51 +19,26 @@ in {
 	};
 
 	config = lib.mkIf cfg.enable {
-		networking.nftables = {
-			enable = true;
-			tables.filter = {
-				family = "ip";
-				# https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/
-				content = ''
-					chain input {
-						type filter hook input priority 0; policy drop;
-
-						# Allow established/related connections
-						ct state established,related accept
-
-						# Allow loopback
-						iifname "lo" accept
-
-						# Allow LAN to access router
-						iifname ${cfg.interfaces.lan} accept
-
-						# Allow ICMP from WAN (for ping)
-						iifname ${cfg.interfaces.wan} icmp type echo-request accept
-
-						# Drop invalid connections
-						ct state invalid drop
-					}
-
-					chain forward {
-						type filter hook forward priority 0; policy drop;
-
-						# Allow established/related connections
-						ct state established,related accept
-
-						# Allow LAN to WAN
-						iifname ${cfg.interfaces.lan} oifname ${cfg.interfaces.wan} accept
-
-						# Drop invalid connections
-						ct state invalid drop
-					}
-
-					chain output {
-						type filter hook output priority 0; policy accept;
-					}
+		# https://hackers-arise.com/linux-basics-for-hackers-building-a-router-with-nftables/
+		networking = {
+			nftables.enable = true;
+			firewall = {
+				enable = true;
+				backend = "nftables";  # Set explicitly
+
+				# Allow lan to access the router
+				trustedInterfaces = [ cfg.interfaces.lan ];
+
+				# Allow lan to access the internet
+				extraForwardRules = ''
+					iifname "${cfg.interfaces.lan}" oifname "${cfg.interfaces.wan}" accept
 				'';
 			};
+			nat = {
+				enable = true;
+				externalInterface = cfg.interfaces.wan;
+				internalInterfaces = [ cfg.interfaces.lan ];
+			};
 		};
-		networking.nat.enable = true;
-		networking.firewall.enable = true;
 	};
 }
-- 
cgit v1.2.3