rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rc:9a56e481412fb20ceb3af86a11e66759c009674e
Branches Tags
rc:master
..
compare: rc:7b5980f871da4d946cda3ed8933c8d9ec47a229c
Branches Tags
rc:master

2 commits
9a56e48141 ... 7b5980f871

Author SHA1 Message Date
Timotej Lazar
7b5980f871 exit: add routes for internal IPv4 addresses to outside VRF 
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
 2024-08-13 19:02:03 +02:00
Timotej Lazar
fe8f9161d9 exit: drop redundant and now misleading comment 2024-08-12 11:46:42 +02:00
2 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
roles/exit/templates/frr.conf.j2
View file

@ -188,7 +188,6 @@ router bgp {{ asn.asn }} vrf inside
{% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %}
# VRF for L2 network {{ vrf.name }}. Imports gateway from inside VRF.
router bgp {{ asn.asn }} vrf {{ vrf.name }}
bgp bestpath as-path multipath-relax
@ -359,6 +358,8 @@ route-map firewall->outside permit 1
match ip address prefix-list fabric
route-map firewall->outside permit 2
match ipv6 address prefix-list fabric
route-map firewall->outside permit 20
match ip address prefix-list office
route-map firewall->outside permit 21
match ipv6 address prefix-list office
route-map firewall->outside permit 30

5
roles/firewall/templates/frr.conf.j2
View file

@ -136,10 +136,11 @@ route-map outside->default permit 10
route-map outside->default permit 11
match ipv6 address prefix-list default
# Send IPv6 office addresses and IPv4 NAT addresses to outside peers
# so inbound packets go through the firewall.
# Send inside and NAT addresses to outside peers so inbound packets go through the firewall.
route-map default->outside permit 1
match interface lo
route-map default->outside permit 10
match ip address prefix-list office
route-map default->outside permit 11
match ipv6 address prefix-list office
route-map default->outside permit 20