stack-orchestrator/playbooks/files/ashburn-routing-ifup.sh.j2

#!/bin/bash
# /etc/network/if-up.d/ashburn-routing
# Restore GRE tunnel and policy routing for Ashburn validator relay
# after reboot or interface up. Acts on eno1 (public interface) since
# the GRE tunnel depends on it.

[ "$IFACE" = "eno1" ] || exit 0

# Create GRE tunnel if it doesn't exist
if ! ip tunnel show {{ tunnel_device }} 2>/dev/null; then
    ip tunnel add {{ tunnel_device }} mode gre local {{ tunnel_src }} remote {{ tunnel_dst }} ttl 64
    ip addr add {{ tunnel_local_ip }}/31 dev {{ tunnel_device }}
    ip link set {{ tunnel_device }} up mtu 8972
fi

# Ensure rt_tables entry exists
grep -q '^{{ rt_table_id }} {{ rt_table_name }}$' /etc/iproute2/rt_tables || \
    echo "{{ rt_table_id }} {{ rt_table_name }}" >> /etc/iproute2/rt_tables

# Add policy rule
ip rule show | grep -q 'fwmark 0x64 lookup {{ rt_table_name }}' || \
    ip rule add fwmark {{ fwmark }} table {{ rt_table_name }}

# Add default route via mia-sw01 through GRE tunnel
ip route replace default via {{ tunnel_remote_ip }} dev {{ tunnel_device }} table {{ rt_table_name }}

# Add Ashburn IP to loopback
ip addr show lo | grep -q '{{ ashburn_ip }}' || ip addr add {{ ashburn_ip }}/32 dev lo
feat: dedicated GRE tunnel (Tunnel100) bypassing DZ-managed Tunnel500 Root cause: the doublezero-agent on mia-sw01 manages Tunnel500's ACL (SEC-USER-500-IN) and drops outbound gossip with src 137.239.194.65. The agent overwrites any custom ACL entries. Fix: create a separate GRE tunnel (Tunnel100) using mia-sw01's free LAN IP (209.42.167.137) as tunnel source. This tunnel goes over the ISP uplink, completely independent of the DZ overlay: - mia-sw01: Tunnel100 src 209.42.167.137, dst 186.233.184.235 - biscayne: gre-ashburn src 186.233.184.235, dst 209.42.167.137 - Link addresses: 169.254.100.0/31 Playbook changes: - ashburn-relay-mia-sw01: Tunnel100 + Loopback101 + SEC-VALIDATOR-100-IN - ashburn-relay-biscayne: gre-ashburn tunnel + updated policy routing - New template: ashburn-routing-ifup.sh.j2 for boot persistence Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-07 01:47:58 +00:00			`#!/bin/bash`
			`# /etc/network/if-up.d/ashburn-routing`
			`# Restore GRE tunnel and policy routing for Ashburn validator relay`
			`# after reboot or interface up. Acts on eno1 (public interface) since`
			`# the GRE tunnel depends on it.`

			`[ "$IFACE" = "eno1" ] \|\| exit 0`

			`# Create GRE tunnel if it doesn't exist`
			`if ! ip tunnel show {{ tunnel_device }} 2>/dev/null; then`
			`ip tunnel add {{ tunnel_device }} mode gre local {{ tunnel_src }} remote {{ tunnel_dst }} ttl 64`
			`ip addr add {{ tunnel_local_ip }}/31 dev {{ tunnel_device }}`
			`ip link set {{ tunnel_device }} up mtu 8972`
			`fi`

			`# Ensure rt_tables entry exists`
			`grep -q '^{{ rt_table_id }} {{ rt_table_name }}$' /etc/iproute2/rt_tables \|\| \`
			`echo "{{ rt_table_id }} {{ rt_table_name }}" >> /etc/iproute2/rt_tables`

			`# Add policy rule`
			`ip rule show \| grep -q 'fwmark 0x64 lookup {{ rt_table_name }}' \|\| \`
			`ip rule add fwmark {{ fwmark }} table {{ rt_table_name }}`

			`# Add default route via mia-sw01 through GRE tunnel`
			`ip route replace default via {{ tunnel_remote_ip }} dev {{ tunnel_device }} table {{ rt_table_name }}`

			`# Add Ashburn IP to loopback`
			`ip addr show lo \| grep -q '{{ ashburn_ip }}' \|\| ip addr add {{ ashburn_ip }}/32 dev lo`