exit: add routes for internal IPv4 addresses to outside VRF

Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.

roles/exit/templates/frr.conf.j2

@@ -188,7 +188,6 @@ router bgp {{ asn.asn }} vrf inside
 
 
 {% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %}
-# VRF for L2 network {{ vrf.name }}. Imports gateway from inside VRF.
 router bgp {{ asn.asn }} vrf {{ vrf.name }}
   bgp bestpath as-path multipath-relax
 
@@ -359,6 +358,8 @@ route-map firewall->outside permit 1
   match ip address prefix-list fabric
 route-map firewall->outside permit 2
   match ipv6 address prefix-list fabric
+route-map firewall->outside permit 20
+  match ip address prefix-list office
 route-map firewall->outside permit 21
   match ipv6 address prefix-list office
 route-map firewall->outside permit 30

roles/firewall/templates/frr.conf.j2

@@ -136,10 +136,11 @@ route-map outside->default permit 10
 route-map outside->default permit 11
   match ipv6 address prefix-list default
 
-# Send IPv6 office addresses and IPv4 NAT addresses to outside peers
+# Send inside and NAT addresses to outside peers so inbound packets go through the firewall.
-# so inbound packets go through the firewall.
 route-map default->outside permit 1
   match interface lo
+route-map default->outside permit 10
+  match ip address prefix-list office
 route-map default->outside permit 11
   match ipv6 address prefix-list office
 route-map default->outside permit 20