Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Network Topology

Each AtomicNix device has two Ethernet interfaces forming a security boundary between the internet and an isolated LAN.

Interface Roles

flowchart LR
    WAN["WAN<br/>internet"] --> ETH0["eth0<br/>DHCP client<br/>Deny-by-default inbound"]
    LAN["LAN<br/>isolated devices"] --> ETH1["eth1<br/>Provisioned static IP<br/>DHCP/DNS: dnsmasq<br/>NTP: chrony"]

    subgraph DEVICE["AtomicNix device"]
        direction TB
        ETH0
        CORE["No IP forwarding<br/>FORWARD chain: DROP all"]
        ETH1
        APPS["Provisioned application containers<br/>No packet forwarding"]
    end

    ETH0 -. provisioned inbound ports .-> APPS
    APPS -. local service access .-> ETH1

WAN Interface (eth0)

  • Mapped to the onboard RK3328 GMAC via systemd .link file (platform path platform-ff540000.ethernet)
  • DHCP v4 client via systemd-networkd
  • Uses DHCP-provided DNS servers
  • Firewall drops new inbound traffic by default
  • Provisioned firewall state may open application or VPN ports from /data/config/firewall-inbound.json

LAN Interface (eth1)

  • USB Ethernet adapter (any supported chipset: r8152, ax88179, cdc_ether)
  • Static IP: provisioned LAN gateway, falling back to 172.20.30.1/24
  • Runs dnsmasq DHCP server from the provisioned range, with fallback 172.20.30.10172.20.30.254
  • Runs chrony NTP server for the provisioned LAN subnet, with fallback 172.20.30.0/24
  • Runs gateway-local DNS only: dnsmasq serves local names on 53 and does not forward upstream

Isolation Model

IP forwarding is explicitly disabled at the kernel level:

boot.kernel.sysctl = {
  "net.ipv4.ip_forward" = 0;
  "net.ipv6.conf.all.forwarding" = 0;
};

The nftables FORWARD chain has a drop policy with no exceptions. LAN devices get DHCP, DNS, NTP, SSH, and first-boot bootstrap access on eth1, but no packet-level internet routing. WAN application or VPN exposure is created only from provisioned firewall state.

NIC Naming

Deterministic interface naming uses systemd .link files rather than udev rules:

Link FileMatchName
10-onboard-ethPlatform path platform-ff540000.etherneteth0
20-usb-ethUSB Ethernet drivers (r8152, ax88179, cdc_ether)enabled as modules in Rock64 kernel config
WiFiUnsupported until hardware selectionnot part of current Rock64 image

The onboard Ethernet is always eth0 regardless of USB device enumeration order. USB Ethernet adapters receive kernel-assigned names (e.g., eth1, eth2).

Firewall Summary

InterfaceDirectionAllowed Ports
eth0 (WAN)Inboundprovisioned firewall ports only
eth0 (WAN)InboundTCP 22 (SSH) – only with flag file
eth1 (LAN)InboundUDP 53, UDP 67-68, UDP 123, TCP 22, TCP 53, TCP 8080
tun0 (VPN)InboundTCP 22 (SSH)
anyForwardDROP (no exceptions)

Provisioned WAN ports come from /data/config/firewall-inbound.json. SSH on WAN is controlled by the presence of /data/config/ssh-wan-enabled. See the Firewall module for implementation details.