From f9a60669f8be82d661828d5926734add30e57a99 Mon Sep 17 00:00:00 2001
From: Igor Rzegocki <igor@rzegocki.pl>
Date: Fri, 28 Jun 2024 21:29:47 +0200
Subject: [PATCH] feat(router): isolate subnets on firewall

---
 nix/machines/router/modules/firewall.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nix/machines/router/modules/firewall.nix b/nix/machines/router/modules/firewall.nix
index fd130c2e0..9bba5d195 100644
--- a/nix/machines/router/modules/firewall.nix
+++ b/nix/machines/router/modules/firewall.nix
@@ -19,11 +19,12 @@
           type filter hook input priority filter; policy accept;
         }
         chain FORWARD {
-          type filter hook forward priority filter; policy accept;
+          type filter hook forward priority filter; policy drop;
           ct state related,established accept
           iifname "mgmt0" oifname "wan0" accept
           iifname "trst0" oifname "wan0" accept
           iifname "untrst0" oifname "wan0" accept
+          ip daddr 10.99.0.0/16 iifname "trst0" accept
         }
         chain OUTPUT {
           type filter hook output priority filter; policy accept;