From 70c909e1342621dfb9594bd2dd7e0e3c5f4601ff Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 16 Sep 2024 17:19:25 +0200 Subject: [PATCH] exit: add routes for VPN IPv4 addresses to outside and default VRFs Like commit 7b5980f but for VPN addresses. --- roles/exit/templates/frr.conf.j2 | 12 ++++++++---- roles/firewall/templates/frr.conf.j2 | 12 +++++++----- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2 index 24444e5..e9107a3 100644 --- a/roles/exit/templates/frr.conf.j2 +++ b/roles/exit/templates/frr.conf.j2 @@ -295,11 +295,13 @@ route-map default-import permit 21 match ipv6 address prefix-list office route-map default-import permit 30 match ip address prefix-list nat -route-map default-import permit 31 - match ipv6 address prefix-list vpn route-map default-import permit 40 - match ip address prefix-list outside + match ip address prefix-list vpn route-map default-import permit 41 + match ipv6 address prefix-list vpn +route-map default-import permit 50 + match ip address prefix-list outside +route-map default-import permit 51 match ipv6 address prefix-list outside route-map outside-import permit 10 @@ -380,7 +382,9 @@ route-map firewall->outside permit 21 match ipv6 address prefix-list office route-map firewall->outside permit 30 match ip address prefix-list nat -route-map firewall->outside permit 31 +route-map firewall->outside permit 40 + match ip address prefix-list vpn +route-map firewall->outside permit 41 match ipv6 address prefix-list vpn # Tag routes from each firewall. Set weight for primary to 200 and secondary to 100. diff --git a/roles/firewall/templates/frr.conf.j2 b/roles/firewall/templates/frr.conf.j2 index 9d3ba08..81ae5f3 100644 --- a/roles/firewall/templates/frr.conf.j2 +++ b/roles/firewall/templates/frr.conf.j2 @@ -139,11 +139,13 @@ route-map outside->default permit 11 # Send inside and NAT addresses to outside peers so inbound packets go through the firewall. route-map default->outside permit 1 match interface lo -route-map default->outside permit 10 - match ip address prefix-list office -route-map default->outside permit 11 - match ipv6 address prefix-list office route-map default->outside permit 20 + match ip address prefix-list office +route-map default->outside permit 21 + match ipv6 address prefix-list office +route-map default->outside permit 30 match ip address prefix-list nat -route-map default->outside permit 31 +route-map default->outside permit 40 + match ip address prefix-list vpn +route-map default->outside permit 41 match ipv6 address prefix-list vpn