From a82edc3e24a3a0f24d5fd0ea95e253e2efaa8f07 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 1 Feb 2021 18:30:37 +0100
Subject: [PATCH] Firewall configuration without MASQUERADE

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 roles/router/templates/firewall_config.py     | 25 +++++++++++--------
 .../templates/firewall_config_aurore.py       | 12 ++++++---
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py
index 5ccd388..9971765 100644
--- a/roles/router/templates/firewall_config.py
+++ b/roles/router/templates/firewall_config.py
@@ -57,24 +57,29 @@ nat = [
         },
         'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
         'extra_nat' : {
-            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
+            'ens19': {
+                '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
                 apartment_block_id }}',
-            '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
+                '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
+            },
         }
     },
     {
         'name': 'Accueil',
         'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
         'extra_nat': {
-            '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{
-            apartment_block_id }}',
-            '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}'
+            'ens19': {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
+            },
+            'ens23' : {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+            },
+        },
+        'extra_nat_group': {
+            'ens19': 'accueil_ens23_allowed',
         },
-        'extra_nat_group': 'accueil_ens23_allowed',
-        'masquerade': [
-            '10.{{ subnet_ids.users_accueil }}.1.0/24',
-            '10.{{ subnet_ids.users_accueil }}.2.0/24',
-        ]
     },
 ]
 
diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py
index c41fd92..af757a0 100644
--- a/roles/router/templates/firewall_config_aurore.py
+++ b/roles/router/templates/firewall_config_aurore.py
@@ -41,9 +41,15 @@ nat = [
     {
         'name' : 'AdminVlans',
         'extra_nat' : {
-            '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
+            'ens18': {
+                '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
+            },
+            'ens19': {
+                '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+            },
+            'ens20': {
+                '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+            },
         }
     }
 ]