From fe8f9161d9e50c4459d85d9e305a3b2a4b28a162 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Mon, 12 Aug 2024 11:46:07 +0200
Subject: [PATCH 1/2] exit: drop redundant and now misleading comment

---
 roles/exit/templates/frr.conf.j2 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index a9a5e62..8d14742 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -188,7 +188,6 @@ router bgp {{ asn.asn }} vrf inside
 
 
 {% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %}
-# VRF for L2 network {{ vrf.name }}. Imports gateway from inside VRF.
 router bgp {{ asn.asn }} vrf {{ vrf.name }}
   bgp bestpath as-path multipath-relax
 

From 7b5980f871da4d946cda3ed8933c8d9ec47a229c Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 13 Aug 2024 19:02:03 +0200
Subject: [PATCH 2/2] exit: add routes for internal IPv4 addresses to outside
 VRF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
---
 roles/exit/templates/frr.conf.j2     | 2 ++
 roles/firewall/templates/frr.conf.j2 | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index 8d14742..afa04ea 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -358,6 +358,8 @@ route-map firewall->outside permit 1
   match ip address prefix-list fabric
 route-map firewall->outside permit 2
   match ipv6 address prefix-list fabric
+route-map firewall->outside permit 20
+  match ip address prefix-list office
 route-map firewall->outside permit 21
   match ipv6 address prefix-list office
 route-map firewall->outside permit 30
diff --git a/roles/firewall/templates/frr.conf.j2 b/roles/firewall/templates/frr.conf.j2
index 4172131..9d3ba08 100644
--- a/roles/firewall/templates/frr.conf.j2
+++ b/roles/firewall/templates/frr.conf.j2
@@ -136,10 +136,11 @@ route-map outside->default permit 10
 route-map outside->default permit 11
   match ipv6 address prefix-list default
 
-# Send IPv6 office addresses and IPv4 NAT addresses to outside peers
-# so inbound packets go through the firewall.
+# Send inside and NAT addresses to outside peers so inbound packets go through the firewall.
 route-map default->outside permit 1
   match interface lo
+route-map default->outside permit 10
+  match ip address prefix-list office
 route-map default->outside permit 11
   match ipv6 address prefix-list office
 route-map default->outside permit 20