Commit graph

17 commits

Author SHA1 Message Date
Timotej Lazar 5a9f0ac26a exit: strip own AS prefix from routes received by firewalls
For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.

If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.

If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.

This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
2024-09-21 16:32:28 +02:00
Timotej Lazar ef1b00adce firewall: update backup route maps
To match the prefixes that are sent by firewalls.
2024-09-21 16:31:44 +02:00
Timotej Lazar 6322d5ec97 exit: add routes for VPN IPv4 addresses to outside and default VRFs
Like commit 7b5980f but for VPN addresses. Also renumber some route
maps to improve consistency.
2024-09-16 17:20:43 +02:00
Timotej Lazar 6c8309f1c9 exit: leak non-NATted inside routes into default VRF
So we don’t have to NAT inside our own network. We still firewall.
2024-09-03 17:15:48 +02:00
Timotej Lazar 103ecae2e7 exit: leak outside routes into default VRF
So L3 servers can acces L2 servers.
2024-09-01 12:19:13 +02:00
Timotej Lazar 7b5980f871 exit: add routes for internal IPv4 addresses to outside VRF
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
2024-08-13 19:02:03 +02:00
Timotej Lazar fe8f9161d9 exit: drop redundant and now misleading comment 2024-08-12 11:46:42 +02:00
Timotej Lazar 9a56e48141 exit: allow multiple VLANs per VRF
Turns out that while Cumulus supports “up to” 255 VRFs, no switch it
runs on supports more than 64. So we have to turn down paranoia and
put internal networks for each tenant in the same VRF.

This commit just ensures VRF definitions are not duplicated on exits.
2024-08-04 14:12:26 +02:00
Timotej Lazar 82b10e8133 exit: support custom VRF imports
Ten minutes to set up and ten hours to convince Ansible to not be
quite so retarded. The list2dict filter seems to be the (or another)
missing piece. Now let’s rewrite everything else using it. Or not.
2024-07-15 14:22:42 +02:00
Timotej Lazar bb41d406f8 exit, firewall: don’t hardcode prefix length 2024-07-10 16:57:08 +02:00
Timotej Lazar 457ab7d3b7 Query prefixes once for all hosts
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
Timotej Lazar db397cb2b1 exit: store VLAN interface addresses in NetBox
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.

Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
2024-04-10 14:03:50 +02:00
Timotej Lazar ece3b8a377 exit: sort prefixes by family values
Because I made some seemingly unrelated changes in NetBox and they all
got flipped‐turned upside down.
2024-04-09 10:47:51 +02:00
Timotej Lazar 65c16dbc63 Drop BGP update-delay option
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00
Timotej Lazar aeb124e346 Add inside and outside roles for VLANs
Will probably rename inside/outside and office/server to int/ext.
2024-01-30 12:35:33 +01:00
Timotej Lazar 2b275c2ab4 exit: receive VPN IPv6 addresses from firewalls
And share them with peer over backup link.
2023-12-18 12:55:50 +01:00
Timotej Lazar 158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00