On the gateway
If 10.10.1.130 is the IP of a new VM and 10.10.0.2 is the primary node on which it resides, on the firewall that NAT to the net all packets comming from 10.10.0.2, do the following:
ip r change 10.10.1.130 via 10.10.0.2 dev eth0 src 10.10.1.254
and restart shorewall.
On the node
To have 10.10.11.0/24 directly routed on eth0 instead of using the route propagated by ospf (z2-5 -> openvpn.fsf -> rennes.tld etc ...).
The idea is to filter the kernel routes :
z2-7:/etc/quagga# vtysh -c "show ip route kernel"
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
K>* 0.0.0.0/0 via 192.168.25.253, eth0
K * 10.10.0.254/32 is directly connected, br0
K>* 10.10.1.84/32 is directly connected, br0
K>* 10.10.10.0/24 is directly connected, eth0
K>* 10.10.11.0/24 is directly connected, eth0
We do not want to propagate the default route, and the 10.10.10/11 networks, so we will only allows :
- 10.10.1.0/24 => vm subnet
- 10.10.0.0/24 => hosts subnet
- 10.1.0.0/16 => vpn mesh subnet
In /etc/quagga/ospfd.conf, after the 2 "network" entries :
distribute-list KERNELOUT out kernel access-list KERNELOUT permit 10.10.1.0/24 access-list KERNELOUT permit 10.10.0.0/24 access-list KERNELOUT permit 10.1.0.0/16
Then restart quagga.
