sys/platform/[lustrated]: prevent default global IPv6 traffic from going through VPN routes

1 files changed, 21 insertions, 5 deletions

diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix
index 52b588c..fb3acea 100644
--- a/sys/nspawn/dmz.nix
+++ b/sys/nspawn/dmz.nix
@@ -164,22 +164,38 @@ in
           Driver = "veth";
         };
 
+        addresses = [
+          {
+            Address = dmzNet.hosts.gateway.v6.cidr;
+            AddPrefixRoute = "no";
+            PreferredLifetime = 0;
+          }
+        ];
+
         networkConfig = {
-          Address = [ dmzNet.hosts.gateway.v6.cidr ];
-          LinkLocalAddressing = "yes";
+          LinkLocalAddressing = "ipv6";
           DHCPServer = "no";
           IPMasquerade = "no";
-          LLDP = "yes";
-          EmitLLDP = "customer-bridge";
+          LLDP = "no";
+          EmitLLDP = "no";
           IPv6SendRA = "yes";
+          IPv6AcceptRA = "no";
         };
 
         ipv6Prefixes = [
           {
-            Assign = "yes";
+            Assign = "no";
             Prefix = dmzNet.v6.cidr;
           }
         ];
+
+        routes = [
+          {
+            Destination = dmzNet.v6.cidr;
+            # Sin esto, siempre se escogerá una ULA como source address debido a "PreferredLifetime = 0" en la GUA
+            PreferredSource = dmzNet.hosts.gateway.v6.address;
+          }
+        ];
       };
 
       services = {