From 4b29c737967e00cbfb44cb4bb0de78ec153fc3fb Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Fri, 1 Aug 2025 18:53:48 +0000
Subject: [PATCH 01/18] vpnv4 peers

---
 .../internal/controller/fixtures/device.txt   | 85 +++++++++++++++++++
 .../controller/fixtures/e2e.last.user.txt     |  1 +
 .../controller/fixtures/e2e.peer.removal.txt  |  1 +
 .../internal/controller/fixtures/e2e.txt      |  1 +
 .../controller/fixtures/mixed.tunnel.txt      |  1 +
 .../controller/fixtures/multicast.tunnel.txt  |  1 +
 .../controller/fixtures/nohardware.tunnel.txt |  1 +
 .../controller/fixtures/unicast.tunnel.txt    |  1 +
 .../fixtures/unknown.peer.removal.txt         |  1 +
 .../controller/internal/controller/models.go  | 22 ++++-
 .../internal/controller/render_test.go        | 63 ++++++++++++--
 .../controller/internal/controller/server.go  | 39 ++++++++-
 .../internal/controller/server_test.go        | 54 +++++++++---
 .../internal/controller/templates/tunnel.tmpl | 11 +++
 14 files changed, 257 insertions(+), 25 deletions(-)
 create mode 100644 controlplane/controller/internal/controller/fixtures/device.txt

diff --git a/controlplane/controller/internal/controller/fixtures/device.txt b/controlplane/controller/internal/controller/fixtures/device.txt
new file mode 100644
index 000000000..b05750940
--- /dev/null
+++ b/controlplane/controller/internal/controller/fixtures/device.txt
@@ -0,0 +1,85 @@
+!
+ip multicast-routing
+!
+router pim sparse-mode
+   ipv4
+      rp address 10.0.0.0 239.0.0.0/24 override
+!
+vrf instance vrf1
+ip routing vrf vrf1
+!
+hardware access-list update default-result permit
+!
+no ip access-list MAIN-CONTROL-PLANE-ACL
+ip access-list MAIN-CONTROL-PLANE-ACL
+   counters per-entry
+   10 permit icmp any any
+   20 permit ip any any tracked
+   30 permit udp any any eq bfd ttl eq 255
+   40 permit udp any any eq bfd-echo ttl eq 254
+   50 permit udp any any eq multihop-bfd micro-bfd sbfd
+   60 permit udp any eq sbfd any eq sbfd-initiator
+   70 permit ospf any any
+   80 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi
+   90 permit udp any any eq bootps bootpc snmp rip ntp ldp ptp-event ptp-general
+   100 permit tcp any any eq mlag ttl eq 255
+   110 permit udp any any eq mlag ttl eq 255
+   120 permit vrrp any any
+   130 permit ahp any any
+   140 permit pim any any
+   150 permit igmp any any
+   160 permit tcp any any range 5900 5910
+   170 permit tcp any any range 50000 50100
+   180 permit udp any any range 51000 51100
+   190 permit tcp any any eq 3333
+   200 permit tcp any any eq nat ttl eq 255
+   210 permit tcp any eq bgp any
+   220 permit rsvp any any
+   230 permit tcp any any eq 9340
+   240 permit tcp any any eq 9559
+   250 permit udp any any eq 8503
+   260 permit udp any any eq lsp-ping
+   270 permit udp any eq lsp-ping any
+
+   280 remark Permit TWAMP (UDP 862)
+   290 permit udp any any eq 862
+!
+system control-plane
+   ip access-group MAIN-CONTROL-PLANE-ACL in
+!
+router bgp 65342
+   router-id 14.14.14.14
+   no neighbor 15.15.15.15
+   neighbor 15.15.15.15 remote-as 65342
+   neighbor 15.15.15.15 next-hop-self
+   neighbor 15.15.15.15 update-source Loopback255
+   neighbor 15.15.15.15 description remote-device
+   neighbor 15.15.15.15 send-community
+   address-family ipv4
+   !
+   vrf vrf1
+      rd 65342:1
+      route-target import vpn-ipv4 65342:1
+      route-target export vpn-ipv4 65342:1
+      router-id 7.7.7.7
+!
+ip community-list COMM-ALL_USERS permit 21682:1200
+ip community-list COMM-ALL_MCAST_USERS permit 21682:1300
+!
+no ip access-list SEC-USER-PUB-MCAST-IN
+ip access-list SEC-USER-PUB-MCAST-IN
+   counters per-entry
+   permit icmp any any
+   permit tcp any any eq bgp
+   permit ip any 224.0.0.13/32
+   permit ip any 239.0.0.0/24
+   deny ip any any
+!
+no ip access-list SEC-USER-SUB-MCAST-IN
+ip access-list SEC-USER-SUB-MCAST-IN
+   counters per-entry
+   permit icmp any any
+   permit tcp any any eq bgp
+   permit ip any 224.0.0.13/32
+   deny ip any any
+!
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
index 72193d8f3..aa900127e 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
@@ -176,6 +176,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 14.14.14.14
    address-family ipv4
    no neighbor 169.254.0.13
    !
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
index 70f38b515..a0a1ea575 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
@@ -201,6 +201,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 14.14.14.14
    no neighbor 169.254.0.3
    neighbor 169.254.0.3 remote-as 65000
    neighbor 169.254.0.3 passive
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.txt b/controlplane/controller/internal/controller/fixtures/e2e.txt
index 56e4f55a5..bd709a494 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.txt
@@ -201,6 +201,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 14.14.14.14
    no neighbor 169.254.0.3
    neighbor 169.254.0.3 remote-as 65000
    neighbor 169.254.0.3 passive
diff --git a/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt b/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
index a60337846..ec8b497b9 100644
--- a/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
@@ -111,6 +111,7 @@ interface Tunnel503
    no shutdown
 !
 router bgp 65342
+   router-id 14.14.14.14
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
    neighbor 169.254.0.1 passive
diff --git a/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt b/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
index ce63e6f9c..da42b8157 100644
--- a/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
@@ -98,6 +98,7 @@ interface Tunnel502
    no shutdown
 !
 router bgp 65342
+   router-id 14.14.14.14
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
    neighbor 169.254.0.1 passive
diff --git a/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt b/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
index 977e09891..7e2e99fce 100644
--- a/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
@@ -106,6 +106,7 @@ interface Tunnel503
    no shutdown
 !
 router bgp 65342
+   router-id 14.14.14.14
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
    neighbor 169.254.0.1 passive
diff --git a/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt b/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
index 8970c0bbc..49eecfec3 100644
--- a/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
@@ -87,6 +87,7 @@ interface Tunnel502
    no shutdown
 !
 router bgp 65342
+   router-id 14.14.14.14
    address-family ipv4
    !
    vrf vrf1
diff --git a/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
index 6b917566a..c26702b04 100644
--- a/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
@@ -87,6 +87,7 @@ interface Tunnel502
    no shutdown
 !
 router bgp 65342
+   router-id 14.14.14.14
    address-family ipv4
    no neighbor 169.254.0.7
    !
diff --git a/controlplane/controller/internal/controller/models.go b/controlplane/controller/internal/controller/models.go
index 39b028015..d8cc9ee36 100644
--- a/controlplane/controller/internal/controller/models.go
+++ b/controlplane/controller/internal/controller/models.go
@@ -2,6 +2,8 @@ package controller
 
 import (
 	"net"
+
+	"github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
 )
 
 var (
@@ -11,10 +13,15 @@ var (
 )
 
 type Device struct {
-	PubKey      string
-	PublicIP    net.IP
-	Tunnels     []*Tunnel
-	TunnelSlots int
+	PubKey          string
+	PublicIP        net.IP
+	Vpn4vLoopbackIP net.IP
+	Tunnels         []*Tunnel
+	TunnelSlots     int
+	MgmtVrf         string
+	DnsServers      []net.IP
+	NtpServers      []net.IP
+	Interfaces      []serviceability.Interface
 }
 
 func NewDevice(ip net.IP, publicKey string) *Device {
@@ -59,8 +66,15 @@ type Tunnel struct {
 	MulticastPublishers   []net.IP
 }
 
+type Vpnv4BgpPeer struct {
+	PeerIP    net.IP
+	PeerName  string
+	SourceInt string
+}
+
 type templateData struct {
 	Device                   *Device
+	Vpnv4BgpPeers            []Vpnv4BgpPeer
 	UnknownBgpPeers          []net.IP
 	MulticastGroupBlock      string
 	NoHardware               bool
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index 738e52135..4662e7949 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -1,11 +1,13 @@
 package controller
 
 import (
+	"fmt"
 	"net"
 	"os"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
 )
 
 func TestRenderConfig(t *testing.T) {
@@ -22,7 +24,8 @@ func TestRenderConfig(t *testing.T) {
 				MulticastGroupBlock:      "239.0.0.0/24",
 				TelemetryTWAMPListenPort: 862,
 				Device: &Device{
-					PublicIP: net.IP{7, 7, 7, 7},
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					Tunnels: []*Tunnel{
 						{
 							Id:            500,
@@ -53,7 +56,7 @@ func TestRenderConfig(t *testing.T) {
 						},
 					},
 				},
-				UnknownBgpPeers: []net.IP{},
+				UnknownBgpPeers: nil,
 			},
 			Want: "fixtures/unicast.tunnel.txt",
 		},
@@ -64,7 +67,8 @@ func TestRenderConfig(t *testing.T) {
 				MulticastGroupBlock:      "239.0.0.0/24",
 				TelemetryTWAMPListenPort: 862,
 				Device: &Device{
-					PublicIP: net.IP{7, 7, 7, 7},
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					Tunnels: []*Tunnel{
 						{
 							Id:            500,
@@ -108,7 +112,8 @@ func TestRenderConfig(t *testing.T) {
 				MulticastGroupBlock:      "239.0.0.0/24",
 				TelemetryTWAMPListenPort: 862,
 				Device: &Device{
-					PublicIP: net.IP{7, 7, 7, 7},
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					Tunnels: []*Tunnel{
 						{
 							Id:            500,
@@ -183,7 +188,8 @@ func TestRenderConfig(t *testing.T) {
 				MulticastGroupBlock:      "239.0.0.0/24",
 				TelemetryTWAMPListenPort: 862,
 				Device: &Device{
-					PublicIP: net.IP{7, 7, 7, 7},
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					Tunnels: []*Tunnel{
 						{
 							Id:            500,
@@ -270,7 +276,8 @@ func TestRenderConfig(t *testing.T) {
 				MulticastGroupBlock:      "239.0.0.0/24",
 				TelemetryTWAMPListenPort: 862,
 				Device: &Device{
-					PublicIP: net.IP{7, 7, 7, 7},
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					Tunnels: []*Tunnel{
 						{
 							Id:            500,
@@ -349,6 +356,45 @@ func TestRenderConfig(t *testing.T) {
 			},
 			Want: "fixtures/nohardware.tunnel.txt",
 		},
+		{
+			Name:        "render_base_config_successfully",
+			Description: "render base device config without tunnels",
+			Data: templateData{
+				MulticastGroupBlock:      "239.0.0.0/24",
+				TelemetryTWAMPListenPort: 862,
+				Device: &Device{
+					PublicIP:        net.IP{7, 7, 7, 7},
+					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
+					MgmtVrf:         "default",
+					DnsServers: []net.IP{
+						{8, 8, 8, 8},
+						{8, 8, 4, 4},
+					},
+					NtpServers: []net.IP{
+						{216, 240, 36, 24},  // 0.pool.ntp.org
+						{205, 233, 73, 201}, // 0.pool.ntp.org
+					},
+					Interfaces: []serviceability.Interface{
+						{
+							Version:        serviceability.CurrentInterfaceVersion,
+							Name:           "Loopback255",
+							InterfaceType:  serviceability.InterfaceTypeLoopback,
+							LoopbackType:   serviceability.LoopbackTypeVpnv4,
+							IpNet:          [5]uint8{14, 14, 14, 14, 32},
+							NodeSegmentIdx: 15,
+						},
+					},
+				},
+				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+					{
+						PeerIP:    net.IP{15, 15, 15, 15},
+						PeerName:  "remote-device",
+						SourceInt: "Loopback255",
+					},
+				},
+			},
+			Want: "fixtures/device.txt",
+		},
 	}
 
 	for _, test := range tests {
@@ -362,7 +408,10 @@ func TestRenderConfig(t *testing.T) {
 				t.Fatalf("error reading test fixture %s: %v", test.Want, err)
 			}
 			if diff := cmp.Diff(string(want), got); diff != "" {
-				t.Errorf("renderTunnels mismatch (-want +got): %s\n", diff)
+				t.Errorf("renderTunnels mismatch (-want +got):\n%s", diff)
+				// Print the actual strings for debugging
+				fmt.Printf("\n=== EXPECTED ===\n%s\n=== END EXPECTED ===\n", string(want))
+				fmt.Printf("\n=== ACTUAL ===\n%s\n=== END ACTUAL ===\n", got)
 			}
 		})
 	}
diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index 0145447a3..45621c69d 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -31,6 +31,7 @@ type stateCache struct {
 	Config          serviceability.Config
 	Devices         map[string]*Device
 	MulticastGroups map[string]serviceability.MulticastGroup
+	Vpnv4BgpPeers   []Vpnv4BgpPeer
 }
 
 type Controller struct {
@@ -154,7 +155,42 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 			continue
 		}
 		devicePubKey := base58.Encode(device.PubKey[:])
-		cache.Devices[devicePubKey] = NewDevice(ip, devicePubKey)
+		d := NewDevice(ip, devicePubKey)
+
+		d.MgmtVrf = device.MgmtVrf
+		d.Interfaces = device.Interfaces
+
+		// Build Vpnv4BgpPeers from device interfaces
+		for _, iface := range device.Interfaces {
+			if iface.InterfaceType == serviceability.InterfaceTypeLoopback &&
+				iface.LoopbackType == serviceability.LoopbackTypeVpnv4 {
+				// Extract IP from IpNet
+				ip := net.IP(iface.IpNet[:4])
+				d.Vpn4vLoopbackIP = ip
+				peer := Vpnv4BgpPeer{
+					PeerIP:    ip,
+					PeerName:  device.Code,
+					SourceInt: iface.Name,
+				}
+				cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
+			}
+		}
+
+		if len(device.DnsServers) > 0 {
+			d.DnsServers = make([]net.IP, len(device.DnsServers))
+			for i, dns := range device.DnsServers {
+				d.DnsServers[i] = net.IP(dns[:])
+			}
+		}
+
+		if len(device.NtpServers) > 0 {
+			d.NtpServers = make([]net.IP, len(device.NtpServers))
+			for i, ntp := range device.NtpServers {
+				d.NtpServers[i] = net.IP(ntp[:])
+			}
+		}
+
+		cache.Devices[devicePubKey] = d
 	}
 
 	// Build cache of multicast groups.
@@ -368,6 +404,7 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 	data := templateData{
 		MulticastGroupBlock:      multicastGroupBlock,
 		Device:                   device,
+		Vpnv4BgpPeers:            c.cache.Vpnv4BgpPeers,
 		UnknownBgpPeers:          unknownPeers,
 		NoHardware:               c.noHardware,
 		TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 077e13fd9..7774011ee 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -65,7 +65,8 @@ func TestGetConfig(t *testing.T) {
 								Allocated:     true,
 							},
 						},
-						PublicIP: net.IP{7, 7, 7, 7},
+						PublicIP:        net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					},
 				},
 			},
@@ -143,7 +144,8 @@ func TestGetConfig(t *testing.T) {
 								},
 							},
 						},
-						PublicIP: net.IP{7, 7, 7, 7},
+						PublicIP:        net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					},
 				},
 			},
@@ -232,7 +234,8 @@ func TestGetConfig(t *testing.T) {
 								},
 							},
 						},
-						PublicIP: net.IP{7, 7, 7, 7},
+						PublicIP:        net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					},
 				},
 			},
@@ -322,7 +325,8 @@ func TestGetConfig(t *testing.T) {
 								},
 							},
 						},
-						PublicIP: net.IP{7, 7, 7, 7},
+						PublicIP:        net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 					},
 				},
 			},
@@ -717,9 +721,17 @@ func TestEndToEnd(t *testing.T) {
 					ExchangePubKey: [32]uint8{},
 					DeviceType:     0,
 					PublicIp:       [4]uint8{2, 2, 2, 2},
-					Status:         serviceability.DeviceStatusActivated,
-					Code:           "abc01",
-					PubKey:         [32]byte{1},
+					Interfaces: []serviceability.Interface{
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeVpnv4,
+							IpNet:         [5]uint8{14, 14, 14, 14, 32},
+							Name:          "Loopback255",
+						},
+					},
+					Status: serviceability.DeviceStatusActivated,
+					Code:   "abc01",
+					PubKey: [32]byte{1},
 				},
 			},
 			AgentRequest: &pb.ConfigRequest{
@@ -778,9 +790,17 @@ func TestEndToEnd(t *testing.T) {
 					ExchangePubKey: [32]uint8{},
 					DeviceType:     0,
 					PublicIp:       [4]uint8{2, 2, 2, 2},
-					Status:         serviceability.DeviceStatusActivated,
-					Code:           "abc01",
-					PubKey:         [32]byte{1},
+					Interfaces: []serviceability.Interface{
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeVpnv4,
+							IpNet:         [5]uint8{14, 14, 14, 14, 32},
+							Name:          "Loopback255",
+						},
+					},
+					Status: serviceability.DeviceStatusActivated,
+					Code:   "abc01",
+					PubKey: [32]byte{1},
 				},
 			},
 			AgentRequest: &pb.ConfigRequest{
@@ -807,9 +827,17 @@ func TestEndToEnd(t *testing.T) {
 					ExchangePubKey: [32]uint8{},
 					DeviceType:     0,
 					PublicIp:       [4]uint8{2, 2, 2, 2},
-					Status:         serviceability.DeviceStatusActivated,
-					Code:           "abc01",
-					PubKey:         [32]byte{1},
+					Interfaces: []serviceability.Interface{
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeVpnv4,
+							IpNet:         [5]uint8{14, 14, 14, 14, 32},
+							Name:          "Loopback255",
+						},
+					},
+					Status: serviceability.DeviceStatusActivated,
+					Code:   "abc01",
+					PubKey: [32]byte{1},
 				},
 			},
 			AgentRequest: &pb.ConfigRequest{
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index 9d81f5ee8..d02f03291 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -84,6 +84,17 @@ interface Tunnel{{ .Id }}
 !
 {{- end }}
 router bgp 65342
+   router-id {{ .Device.Vpn4vLoopbackIP }}
+   {{- range .Vpnv4BgpPeers }}
+   {{- if ne .PeerIP.String $.Device.Vpn4vLoopbackIP.String }}
+   no neighbor {{ .PeerIP }}
+   neighbor {{ .PeerIP }} remote-as 65342
+   neighbor {{ .PeerIP }} next-hop-self
+   neighbor {{ .PeerIP }} update-source {{ .SourceInt }}
+   neighbor {{ .PeerIP }} description {{ .PeerName }}
+   neighbor {{ .PeerIP }} send-community
+   {{- end }}
+   {{- end }}
    {{- range .Device.Tunnels }}
    {{- if and .IsMulticast .Allocated }}
    no neighbor {{ .OverlayDstIP }}

From 6b4742ac005942fd557beb0bc717991af03b4c45 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Sat, 2 Aug 2025 19:14:56 +0000
Subject: [PATCH 02/18] activator does not yet assign IPs

---
 controlplane/controller/internal/controller/server.go     | 2 ++
 e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl | 1 +
 .../ibrl/doublezero_agent_config_user_removed.tmpl        | 1 +
 .../doublezero_agent_config_user_added.tmpl               | 1 +
 .../doublezero_agent_config_user_removed.tmpl             | 1 +
 .../doublezero_agent_config_user_added.tmpl               | 1 +
 .../doublezero_agent_config_user_removed.tmpl             | 1 +
 .../doublezero_agent_config_user_added.tmpl               | 1 +
 .../doublezero_agent_config_user_removed.tmpl             | 1 +
 e2e/main_test.go                                          | 8 ++++++++
 10 files changed, 18 insertions(+)

diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index 45621c69d..573f801e6 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -167,6 +167,7 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 				// Extract IP from IpNet
 				ip := net.IP(iface.IpNet[:4])
 				d.Vpn4vLoopbackIP = ip
+				// TODO: raise an error if the IP is 0.0.0.0 (not set)
 				peer := Vpnv4BgpPeer{
 					PeerIP:    ip,
 					PeerName:  device.Code,
@@ -175,6 +176,7 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 				cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
 			}
 		}
+		// TODO: raise an error if the IP is not set (no LoopbackTypeVpnv4 interface found)
 
 		if len(device.DnsServers) > 0 {
 			d.DnsServers = make([]net.IP, len(device.DnsServers))
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
index 81854ec03..62d545da1 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
@@ -185,6 +185,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
index ba3f55ceb..d5688bf3f 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
@@ -174,6 +174,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
index 10abcc8d8..c1cf9b88d 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
@@ -185,6 +185,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
index ba3f55ceb..d5688bf3f 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
@@ -174,6 +174,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
index 663325b81..be06f75d7 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
@@ -188,6 +188,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
    neighbor 169.254.0.1 passive
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
index ba3f55ceb..d5688bf3f 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
@@ -174,6 +174,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
index 62b578c55..6902cfe89 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
@@ -187,6 +187,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
    neighbor 169.254.0.1 passive
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
index ba3f55ceb..d5688bf3f 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
@@ -174,6 +174,7 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
+   router-id 0.0.0.0
    address-family ipv4
    !
    vrf vrf1
diff --git a/e2e/main_test.go b/e2e/main_test.go
index 0cd345ae1..40a58732c 100644
--- a/e2e/main_test.go
+++ b/e2e/main_test.go
@@ -175,13 +175,21 @@ func (dn *TestDevnet) Start(t *testing.T) (*devnet.Device, *devnet.Client) {
 		echo "==> Populate device interface information onchain"
 		# TODO: When the controller supports dzd metadata, this will have to be updated to reflect actual interfaces
 		doublezero device interface create ny5-dz01 "Switch1/1/1" physical
+		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create la2-dz01 "Switch1/1/1" physical
+		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ld4-dz01 "Switch1/1/1" physical
+		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create frk-dz01 "Switch1/1/1" physical
+		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create sg1-dz01 "Switch1/1/1" physical
+		doublezero device interface create sg1-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ty2-dz01 "Switch1/1/1" physical
+		doublezero device interface create ty2-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create pit-dzd01 "Switch1/1/1" physical
+		doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ams-dz001 "Switch1/1/1" physical
+		doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
 
 		echo "==> Populate link information onchain"
 		doublezero link create wan --code "la2-dz01:ny5-dz01" --contributor co01 --side-a la2-dz01 --side-a-interface Switch1/1/1 --side-z ny5-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 40 --jitter-ms 3

From 10dacf2c7ea8b4ce16a7272c1557503b2b0c0541 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Sun, 3 Aug 2025 19:50:20 +0000
Subject: [PATCH 03/18] Skip devices with no LoopbackTypeVpnv4 interface

---
 .../controller/internal/controller/server.go  |  6 +-
 .../internal/controller/server_test.go        | 78 +++++++++++++++++--
 2 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index 573f801e6..e0d8fb1e0 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -176,7 +176,11 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 				cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
 			}
 		}
-		// TODO: raise an error if the IP is not set (no LoopbackTypeVpnv4 interface found)
+
+		if d.Vpn4vLoopbackIP == nil {
+			slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "VPNv4 loopback interface found for device")
+			continue
+		}
 
 		if len(device.DnsServers) > 0 {
 			d.DnsServers = make([]net.IP, len(device.DnsServers))
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 7774011ee..f94a92dfc 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -455,9 +455,17 @@ func TestStateCache(t *testing.T) {
 					ExchangePubKey: [32]uint8{},
 					DeviceType:     0,
 					PublicIp:       [4]uint8{2, 2, 2, 2},
-					Status:         serviceability.DeviceStatusActivated,
-					Code:           "abc01",
-					PubKey:         [32]byte{1},
+					Interfaces: []serviceability.Interface{
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeVpnv4,
+							IpNet:         [5]uint8{14, 14, 14, 14, 32},
+							Name:          "Loopback255",
+						},
+					},
+					Status: serviceability.DeviceStatusActivated,
+					Code:   "abc01",
+					PubKey: [32]byte{1},
 				},
 			},
 			StateCache: stateCache{
@@ -474,10 +482,18 @@ func TestStateCache(t *testing.T) {
 						},
 					},
 				},
+				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+					{
+						PeerIP:    net.IP{14, 14, 14, 14},
+						PeerName:  "abc01",
+						SourceInt: "Loopback255",
+					},
+				},
 				Devices: map[string]*Device{
 					"4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM": {
-						PubKey:   "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
-						PublicIP: net.IP{2, 2, 2, 2},
+						PubKey:          "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
+						PublicIP:        net.IP{2, 2, 2, 2},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
 						Tunnels: []*Tunnel{
 							{
 								Id:            500,
@@ -570,15 +586,65 @@ func TestStateCache(t *testing.T) {
 							{Id: 563},
 						},
 						TunnelSlots: 64,
+						Interfaces: []serviceability.Interface{
+							{
+								InterfaceType: serviceability.InterfaceTypeLoopback,
+								LoopbackType:  serviceability.LoopbackTypeVpnv4,
+								IpNet:         [5]uint8{14, 14, 14, 14, 32},
+								Name:          "Loopback255",
+							},
+						},
 					},
 				},
 			},
 		},
+		{
+			Name: "exclude_device_without_vpnv4_loopback",
+			Config: serviceability.Config{
+				MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
+			},
+			Users: []serviceability.User{
+				{
+					AccountType:  serviceability.AccountType(0),
+					Owner:        [32]uint8{},
+					UserType:     serviceability.UserUserType(serviceability.UserTypeIBRL),
+					DevicePubKey: [32]uint8{1},
+					CyoaType:     serviceability.CyoaTypeGREOverDIA,
+					ClientIp:     [4]uint8{1, 1, 1, 1},
+					DzIp:         [4]uint8{100, 100, 100, 100},
+					TunnelId:     uint16(500),
+					TunnelNet:    [5]uint8{10, 1, 1, 0, 31},
+					Status:       serviceability.UserStatusActivated,
+				},
+			},
+			Devices: []serviceability.Device{
+				{
+					AccountType:    serviceability.AccountType(0),
+					Owner:          [32]uint8{},
+					LocationPubKey: [32]uint8{},
+					ExchangePubKey: [32]uint8{},
+					DeviceType:     0,
+					PublicIp:       [4]uint8{3, 3, 3, 3},
+					Interfaces:     []serviceability.Interface{}, // No VPNv4 loopback interface
+					Status:         serviceability.DeviceStatusActivated,
+					Code:           "abc02",
+					PubKey:         [32]byte{1},
+				},
+			},
+			StateCache: stateCache{
+				Config: serviceability.Config{
+					MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
+				},
+				MulticastGroups: map[string]serviceability.MulticastGroup{},
+				Vpnv4BgpPeers:   nil, // No BGP peers since device is excluded
+				Devices:         map[string]*Device{}, // Device should not be in cache
+			},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.Name, func(t *testing.T) {
-			lis, err := net.Listen("tcp", net.JoinHostPort("localhost", "7004"))
+			lis, err := net.Listen("tcp", "localhost:0")
 			if err != nil {
 				log.Fatalf("failed to listen: %v", err)
 			}

From f00d889deab1906e60117823399a404d5bcd1e24 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Sun, 3 Aug 2025 19:54:54 +0000
Subject: [PATCH 04/18] e2e updates for router-id

---
 e2e/device_telemetry_test.go     | 14 +++++++++++++-
 e2e/internal/devnet/device.go    |  1 +
 e2e/internal/devnet/devnet.go    | 13 +++++++++++++
 e2e/main_test.go                 | 15 ++++++++-------
 e2e/multi_client_test.go         |  3 +++
 e2e/sdk_device_telemetry_test.go | 11 +++++++++++
 6 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/e2e/device_telemetry_test.go b/e2e/device_telemetry_test.go
index c8c3c0064..23809fa13 100644
--- a/e2e/device_telemetry_test.go
+++ b/e2e/device_telemetry_test.go
@@ -102,6 +102,9 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
+		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "la2-dz01", "Loopback255")
+		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
+
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
 	}()
@@ -139,6 +142,9 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
+		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "ny5-dz01", "Loopback255")
+		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
+
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
 	}()
@@ -156,7 +162,6 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 			doublezero device create --code pit-dzd01 --contributor co01 --location pit --exchange xpit --public-ip "204.16.241.243" --dz-prefixes "204.16.243.243/32" --mgmt-vrf mgmt
 			doublezero device create --code ams-dz001 --contributor co01 --location ams --exchange xams --public-ip "195.219.138.50" --dz-prefixes "195.219.138.56/29" --mgmt-vrf mgmt
 
-			# TODO: When the controller supports dzd metadata, this will have to be updated to reflect actual interfaces
 			doublezero device interface create la2-dz01 "Switch1/1/1" physical
 			doublezero device interface create ny5-dz01 "Switch1/1/1" physical
 			doublezero device interface create ld4-dz01 "Switch1/1/1" physical
@@ -165,6 +170,13 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 			doublezero device interface create ty2-dz01 "Switch1/1/1" physical
 			doublezero device interface create pit-dzd01 "Switch1/1/1" physical
 			doublezero device interface create ams-dz001 "Switch1/1/1" physical
+
+			doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create sg1-dz01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create ty2-dz01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
 	`})
 	require.NoError(t, err)
 
diff --git a/e2e/internal/devnet/device.go b/e2e/internal/devnet/device.go
index d2d069032..ca3fd794b 100644
--- a/e2e/internal/devnet/device.go
+++ b/e2e/internal/devnet/device.go
@@ -260,6 +260,7 @@ func (d *Device) Start(ctx context.Context) error {
 	commandArgs := []string{
 		"-controller", controllerAddr,
 		"-pubkey", onchainID,
+		"-verbose",
 	}
 
 	// Configure telemetry/metrics publisher keypair if set.
diff --git a/e2e/internal/devnet/devnet.go b/e2e/internal/devnet/devnet.go
index 524135e7e..ce08633a5 100644
--- a/e2e/internal/devnet/devnet.go
+++ b/e2e/internal/devnet/devnet.go
@@ -801,6 +801,19 @@ func generateKeypairIfNotExists(keypairPath string) (bool, error) {
 	return false, nil
 }
 
+func (d *Devnet) CreateDeviceVPNv4LoopbackInterface(ctx context.Context, deviceCode string) error {
+	d.log.Info("==> Creating VPNv4 loopback interface for device", "code", deviceCode)
+	d.onchainWriteMutex.Lock()
+	defer d.onchainWriteMutex.Unlock()
+
+	_, err := d.Manager.Exec(ctx, []string{"doublezero", "device", "interface", "create", deviceCode, "Loopback255", "loopback", "--loopback-type", "vpnv4"})
+	if err != nil {
+		return fmt.Errorf("failed to create VPNv4 loopback interface for device %s: %w", deviceCode, err)
+	}
+
+	return nil
+}
+
 func (d *Devnet) waitForContainerPortExposed(ctx context.Context, containerID string, port int, timeout time.Duration) (int, error) {
 	loggedWait := false
 	attempts := 0
diff --git a/e2e/main_test.go b/e2e/main_test.go
index 40a58732c..2f899a3a3 100644
--- a/e2e/main_test.go
+++ b/e2e/main_test.go
@@ -175,20 +175,21 @@ func (dn *TestDevnet) Start(t *testing.T) (*devnet.Device, *devnet.Client) {
 		echo "==> Populate device interface information onchain"
 		# TODO: When the controller supports dzd metadata, this will have to be updated to reflect actual interfaces
 		doublezero device interface create ny5-dz01 "Switch1/1/1" physical
-		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create la2-dz01 "Switch1/1/1" physical
-		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ld4-dz01 "Switch1/1/1" physical
-		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create frk-dz01 "Switch1/1/1" physical
-		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create sg1-dz01 "Switch1/1/1" physical
-		doublezero device interface create sg1-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ty2-dz01 "Switch1/1/1" physical
-		doublezero device interface create ty2-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create pit-dzd01 "Switch1/1/1" physical
-		doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ams-dz001 "Switch1/1/1" physical
+
+		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create sg1-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ty2-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
 
 		echo "==> Populate link information onchain"
diff --git a/e2e/multi_client_test.go b/e2e/multi_client_test.go
index 4cf1854e8..3e4640939 100644
--- a/e2e/multi_client_test.go
+++ b/e2e/multi_client_test.go
@@ -56,6 +56,9 @@ func TestE2E_MultiClient(t *testing.T) {
 	devicePK := device.ID
 	log.Info("--> Device added", "deviceCode", deviceCode, "devicePK", devicePK)
 
+	err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), deviceCode)
+	require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", deviceCode, err)
+
 	// Wait for device to exist onchain.
 	log.Info("==> Waiting for device to exist onchain")
 	serviceabilityClient, err := dn.Ledger.GetServiceabilityClient()
diff --git a/e2e/sdk_device_telemetry_test.go b/e2e/sdk_device_telemetry_test.go
index d735a1933..13ee5c9c5 100644
--- a/e2e/sdk_device_telemetry_test.go
+++ b/e2e/sdk_device_telemetry_test.go
@@ -68,6 +68,17 @@ func TestE2E_SDK_Telemetry_DeviceLatencySamples(t *testing.T) {
 		doublezero device interface create ld4-dz01 "Switch1/1/1" physical
 		doublezero device interface create frk-dz01 "Switch1/1/1" physical
 
+		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
+
+
+		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
+		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
+
 		doublezero link create wan --code "la2-dz01:ny5-dz01" --contributor co01 --side-a la2-dz01 --side-a-interface Switch1/1/1 --side-z ny5-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 40 --jitter-ms 3
 		doublezero link create wan --code "ny5-dz01:ld4-dz01" --contributor co01 --side-a ny5-dz01 --side-a-interface Switch1/1/1 --side-z ld4-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 30 --jitter-ms 3
 		doublezero link create wan --code "ld4-dz01:frk-dz01" --contributor co01 --side-a ld4-dz01 --side-a-interface Switch1/1/1 --side-z frk-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 25 --jitter-ms 10

From 31c1c958da9a30026277c91150bd9bc0237ee430 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Sun, 3 Aug 2025 20:29:40 +0000
Subject: [PATCH 05/18] feat(controller): #1022 render IBGP peers

---
 .../internal/controller/server_test.go        | 26 +++++++++++++++++++
 e2e/device_telemetry_test.go                  |  4 +--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index f94a92dfc..4fa83d6c0 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -333,6 +333,32 @@ func TestGetConfig(t *testing.T) {
 			Pubkey: "abc123",
 			Want:   "fixtures/nohardware.tunnel.txt",
 		},
+		{
+			Name:        "render_base_config_successfully",
+			Description: "render base configuration with BGP peers",
+			StateCache: stateCache{
+				Config: serviceability.Config{
+					MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
+				},
+				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+					{
+						PeerIP:    net.IP{15, 15, 15, 15},
+						PeerName:  "remote-device",
+						SourceInt: "Loopback255",
+					},
+				},
+				Devices: map[string]*Device{
+					"abc123": {
+						PublicIP:        net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
+						Tunnels:         []*Tunnel{},
+						TunnelSlots:     0,
+					},
+				},
+			},
+			Pubkey: "abc123",
+			Want:   "fixtures/device.txt",
+		},
 	}
 
 	for _, test := range tests {
diff --git a/e2e/device_telemetry_test.go b/e2e/device_telemetry_test.go
index 23809fa13..539e8a6f6 100644
--- a/e2e/device_telemetry_test.go
+++ b/e2e/device_telemetry_test.go
@@ -102,7 +102,7 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "la2-dz01", "Loopback255")
+		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "la2-dz01")
 		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
 
 		// Wait for the telemetry publisher account to be funded.
@@ -142,7 +142,7 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "ny5-dz01", "Loopback255")
+		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "ny5-dz01")
 		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
 
 		// Wait for the telemetry publisher account to be funded.

From 48c73db1663e0dec87b312ba24db31c20a2b801f Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Sun, 3 Aug 2025 21:43:05 +0000
Subject: [PATCH 06/18] device.txt -> base.config.txt

---
 .../controller/fixtures/{device.txt => base.config.txt}       | 0
 controlplane/controller/internal/controller/render_test.go    | 2 +-
 controlplane/controller/internal/controller/server_test.go    | 4 ++--
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename controlplane/controller/internal/controller/fixtures/{device.txt => base.config.txt} (100%)

diff --git a/controlplane/controller/internal/controller/fixtures/device.txt b/controlplane/controller/internal/controller/fixtures/base.config.txt
similarity index 100%
rename from controlplane/controller/internal/controller/fixtures/device.txt
rename to controlplane/controller/internal/controller/fixtures/base.config.txt
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index 4662e7949..f1f718117 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -393,7 +393,7 @@ func TestRenderConfig(t *testing.T) {
 					},
 				},
 			},
-			Want: "fixtures/device.txt",
+			Want: "fixtures/base.config.txt",
 		},
 	}
 
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 4fa83d6c0..f4a034e8e 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -357,7 +357,7 @@ func TestGetConfig(t *testing.T) {
 				},
 			},
 			Pubkey: "abc123",
-			Want:   "fixtures/device.txt",
+			Want:   "fixtures/base.config.txt",
 		},
 	}
 
@@ -662,7 +662,7 @@ func TestStateCache(t *testing.T) {
 					MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
 				},
 				MulticastGroups: map[string]serviceability.MulticastGroup{},
-				Vpnv4BgpPeers:   nil, // No BGP peers since device is excluded
+				Vpnv4BgpPeers:   nil,                  // No BGP peers since device is excluded
 				Devices:         map[string]*Device{}, // Device should not be in cache
 			},
 		},

From f8962c06b9b25ce2231d7bf2fed56fee7aacabed Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Mon, 4 Aug 2025 14:32:28 +0000
Subject: [PATCH 07/18] Peer removal

---
 .../controller/fixtures/e2e.peer.removal.txt  |  2 ++
 .../controller/internal/controller/server.go  | 16 +++++++++++---
 .../internal/controller/server_test.go        | 22 ++++++++++++++++---
 3 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
index a0a1ea575..e7eca1997 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
@@ -212,6 +212,7 @@ router bgp 65342
    neighbor 169.254.0.3 maximum-accepted-routes 1
    address-family ipv4
       neighbor 169.254.0.3 activate
+   no neighbor 172.17.0.1
    no neighbor 169.254.0.7
    !
    vrf vrf1
@@ -227,6 +228,7 @@ router bgp 65342
       neighbor 169.254.0.1 route-map RM-USER-500-OUT out
       neighbor 169.254.0.1 maximum-routes 1
       neighbor 169.254.0.1 maximum-accepted-routes 1
+      no neighbor 172.17.0.1
       no neighbor 169.254.0.7
 !
 ip community-list COMM-ALL_USERS permit 21682:1200
diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index e0d8fb1e0..ff16f31e6 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -392,13 +392,15 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 	for _, peer := range req.GetBgpPeers() {
 		ip := net.ParseIP(peer)
 		if ip == nil {
-			slog.Error("malformed peer ip", "peer", peer)
 			continue
 		}
-		if !ip.IsLinkLocalUnicast() || peerFound(ip) {
+		if peerFound(ip) {
 			continue
 		}
-		unknownPeers = append(unknownPeers, ip)
+		// Only remove peers with addresses that DZ has assigned. This will avoid removal of contributor-configured peers like DIA.
+		if isIPInBlock(ip, c.cache.Config.UserTunnelBlock) || isIPInBlock(ip, c.cache.Config.TunnelTunnelBlock) {
+			unknownPeers = append(unknownPeers, ip)
+		}
 	}
 
 	if len(unknownPeers) != 0 {
@@ -431,3 +433,11 @@ func formatCIDR(b *[5]byte) string {
 	mask := net.CIDRMask(int(b[4]), 32)
 	return (&net.IPNet{IP: ip, Mask: mask}).String()
 }
+
+// isIPInBlock checks if an IP address is within a 5-byte network block
+func isIPInBlock(ip net.IP, block [5]uint8) bool {
+	network := net.IPv4(block[0], block[1], block[2], block[3])
+	mask := net.CIDRMask(int(block[4]), 32)
+	ipNet := &net.IPNet{IP: network, Mask: mask}
+	return ipNet.Contains(ip)
+}
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index f4a034e8e..035668af2 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -489,6 +489,14 @@ func TestStateCache(t *testing.T) {
 							Name:          "Loopback255",
 						},
 					},
+					DnsServers: [][4]uint8{
+						{8, 8, 8, 8},
+						{8, 8, 4, 4},
+					},
+					NtpServers: [][4]uint8{
+						{162, 159, 200, 1},
+						{198, 137, 202, 56},
+					},
 					Status: serviceability.DeviceStatusActivated,
 					Code:   "abc01",
 					PubKey: [32]byte{1},
@@ -612,6 +620,8 @@ func TestStateCache(t *testing.T) {
 							{Id: 563},
 						},
 						TunnelSlots: 64,
+						DnsServers:  []net.IP{{8, 8, 8, 8}, {8, 8, 4, 4}},
+						NtpServers:  []net.IP{{162, 159, 200, 1}, {198, 137, 202, 56}},
 						Interfaces: []serviceability.Interface{
 							{
 								InterfaceType: serviceability.InterfaceTypeLoopback,
@@ -836,6 +846,8 @@ func TestEndToEnd(t *testing.T) {
 			Name: "remove_unknown_peers_successfully",
 			Config: serviceability.Config{
 				MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
+				TunnelTunnelBlock:   [5]uint8{172, 17, 0, 0, 16},
+				UserTunnelBlock:     [5]uint8{169, 254, 0, 0, 16},
 			},
 			MulticastGroups: []serviceability.MulticastGroup{
 				{
@@ -898,9 +910,11 @@ func TestEndToEnd(t *testing.T) {
 			AgentRequest: &pb.ConfigRequest{
 				Pubkey: "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
 				BgpPeers: []string{
-					"10.0.0.1",
-					"172.16.0.1",
-					"169.254.0.7",
+					"10.0.0.1",    // Not in any DZ block - should not be flagged for removal
+					"172.16.0.1",  // Not in any DZ block - should not be flagged for removal
+					"172.17.0.1",  // In TunnelTunnelBlock - should be flagged for removal
+					"169.254.0.7", // In UserTunnelBlock - should be flagged for removal
+					"169.254.0.3", // In UserTunnelBlock, but associated with a user - should not be flagged for removal
 				},
 			},
 			Want: "fixtures/e2e.peer.removal.txt",
@@ -909,6 +923,8 @@ func TestEndToEnd(t *testing.T) {
 			Name: "remove_last_user_from_device",
 			Config: serviceability.Config{
 				MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
+				TunnelTunnelBlock:   [5]uint8{172, 17, 0, 0, 16},
+				UserTunnelBlock:     [5]uint8{169, 254, 0, 0, 16},
 			},
 			Users: []serviceability.User{},
 			Devices: []serviceability.Device{

From f0cab179e48d79141c0072f2ed6752d943d0a9dc Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Mon, 4 Aug 2025 19:25:26 +0000
Subject: [PATCH 08/18] address-family ipv4 / vpn-ipv4

---
 .../controller/fixtures/base.config.txt       |   4 +
 .../controller/fixtures/e2e.last.user.txt     |   5 +-
 .../controller/fixtures/e2e.peer.removal.txt  |   8 +-
 .../internal/controller/fixtures/e2e.txt      |   2 +
 .../controller/fixtures/mixed.tunnel.txt      |   2 +
 .../controller/fixtures/multicast.tunnel.txt  |   2 +
 .../controller/fixtures/nohardware.tunnel.txt |   2 +
 .../controller/fixtures/unicast.tunnel.txt    |   2 +
 .../fixtures/unknown.peer.removal.txt         |   5 +-
 .../internal/controller/templates/tunnel.tmpl |  21 +-
 controlplane/controller/q.html                | 978 ++++++++++++++++++
 11 files changed, 1024 insertions(+), 7 deletions(-)
 create mode 100644 controlplane/controller/q.html

diff --git a/controlplane/controller/internal/controller/fixtures/base.config.txt b/controlplane/controller/internal/controller/fixtures/base.config.txt
index b05750940..923516efa 100644
--- a/controlplane/controller/internal/controller/fixtures/base.config.txt
+++ b/controlplane/controller/internal/controller/fixtures/base.config.txt
@@ -56,6 +56,10 @@ router bgp 65342
    neighbor 15.15.15.15 description remote-device
    neighbor 15.15.15.15 send-community
    address-family ipv4
+      no neighbor 15.15.15.15 activate
+   !
+   address-family vpn-ipv4
+      neighbor 15.15.15.15 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
index aa900127e..295bec73a 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
@@ -178,7 +178,10 @@ default interface Tunnel563
 router bgp 65342
    router-id 14.14.14.14
    address-family ipv4
-   no neighbor 169.254.0.13
+      no neighbor 169.254.0.13
+   !
+   address-family vpn-ipv4
+      no neighbor 169.254.0.13
    !
    vrf vrf1
       rd 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
index e7eca1997..77790ed7d 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
@@ -212,8 +212,12 @@ router bgp 65342
    neighbor 169.254.0.3 maximum-accepted-routes 1
    address-family ipv4
       neighbor 169.254.0.3 activate
-   no neighbor 172.17.0.1
-   no neighbor 169.254.0.7
+      no neighbor 172.17.0.1
+      no neighbor 169.254.0.7
+   !
+   address-family vpn-ipv4
+      no neighbor 172.17.0.1
+      no neighbor 169.254.0.7
    !
    vrf vrf1
       rd 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.txt b/controlplane/controller/internal/controller/fixtures/e2e.txt
index bd709a494..dd5bb1618 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.txt
@@ -213,6 +213,8 @@ router bgp 65342
    address-family ipv4
       neighbor 169.254.0.3 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt b/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
index ec8b497b9..504598394 100644
--- a/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/mixed.tunnel.txt
@@ -141,6 +141,8 @@ router bgp 65342
       neighbor 169.254.0.5 activate
       neighbor 169.254.0.7 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt b/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
index da42b8157..b5469259c 100644
--- a/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/multicast.tunnel.txt
@@ -128,6 +128,8 @@ router bgp 65342
       neighbor 169.254.0.3 activate
       neighbor 169.254.0.5 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt b/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
index 7e2e99fce..b0d5c634a 100644
--- a/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/nohardware.tunnel.txt
@@ -136,6 +136,8 @@ router bgp 65342
       neighbor 169.254.0.5 activate
       neighbor 169.254.0.7 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt b/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
index 49eecfec3..b02ca6e25 100644
--- a/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
+++ b/controlplane/controller/internal/controller/fixtures/unicast.tunnel.txt
@@ -90,6 +90,8 @@ router bgp 65342
    router-id 14.14.14.14
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
index c26702b04..2d07a9e91 100644
--- a/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/unknown.peer.removal.txt
@@ -89,7 +89,10 @@ interface Tunnel502
 router bgp 65342
    router-id 14.14.14.14
    address-family ipv4
-   no neighbor 169.254.0.7
+      no neighbor 169.254.0.7
+   !
+   address-family vpn-ipv4
+      no neighbor 169.254.0.7
    !
    vrf vrf1
       rd 65342:1
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index d02f03291..9d3507c9f 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -113,10 +113,25 @@ router bgp 65342
       neighbor {{ .OverlayDstIP }} activate
    {{- end }}
    {{- end }}
+   {{- range .Vpnv4BgpPeers }}
+   {{- if ne .PeerIP.String $.Device.Vpn4vLoopbackIP.String }}
+      no neighbor {{ .PeerIP }} activate
+   {{- end }}
+   {{- end }}
    {{- range .UnknownBgpPeers }}
-   no neighbor {{ . }}
+      no neighbor {{ . }}
    {{- end }}
    !
+   address-family vpn-ipv4
+      {{- range .Vpnv4BgpPeers }}
+      {{- if ne .PeerIP.String $.Device.Vpn4vLoopbackIP.String }}
+      neighbor {{ .PeerIP }} activate
+      {{- end }}
+      {{- end }}
+      {{- range .UnknownBgpPeers }}
+      no neighbor {{ . }}
+      {{- end }}
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
@@ -136,9 +151,9 @@ router bgp 65342
       {{- end }}
       {{- end }}
       {{- end }}
-{{- range .UnknownBgpPeers }}
+      {{- range .UnknownBgpPeers }}
       no neighbor {{ . }}
-{{- end }}
+      {{- end }}
 !
 ip community-list COMM-ALL_USERS permit 21682:1200
 ip community-list COMM-ALL_MCAST_USERS permit 21682:1300
diff --git a/controlplane/controller/q.html b/controlplane/controller/q.html
new file mode 100644
index 000000000..139a37ba9
--- /dev/null
+++ b/controlplane/controller/q.html
@@ -0,0 +1,978 @@
+
+<!DOCTYPE html>
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+		<title>controller: Go Coverage Report</title>
+		<style>
+			body {
+				background: black;
+				color: rgb(80, 80, 80);
+			}
+			body, pre, #legend span {
+				font-family: Menlo, monospace;
+				font-weight: bold;
+			}
+			#topbar {
+				background: black;
+				position: fixed;
+				top: 0; left: 0; right: 0;
+				height: 42px;
+				border-bottom: 1px solid rgb(80, 80, 80);
+			}
+			#content {
+				margin-top: 50px;
+			}
+			#nav, #legend {
+				float: left;
+				margin-left: 10px;
+			}
+			#legend {
+				margin-top: 12px;
+			}
+			#nav {
+				margin-top: 10px;
+			}
+			#legend span {
+				margin: 0 5px;
+			}
+			.cov0 { color: rgb(192, 0, 0) }
+.cov1 { color: rgb(128, 128, 128) }
+.cov2 { color: rgb(116, 140, 131) }
+.cov3 { color: rgb(104, 152, 134) }
+.cov4 { color: rgb(92, 164, 137) }
+.cov5 { color: rgb(80, 176, 140) }
+.cov6 { color: rgb(68, 188, 143) }
+.cov7 { color: rgb(56, 200, 146) }
+.cov8 { color: rgb(44, 212, 149) }
+.cov9 { color: rgb(32, 224, 152) }
+.cov10 { color: rgb(20, 236, 155) }
+
+		</style>
+	</head>
+	<body>
+		<div id="topbar">
+			<div id="nav">
+				<select id="files">
+				
+				<option value="file0">github.com/malbeclabs/doublezero/controlplane/controller/cmd/controller/main.go (0.0%)</option>
+				
+				<option value="file1">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/metrics.go (100.0%)</option>
+				
+				<option value="file2">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/models.go (90.0%)</option>
+				
+				<option value="file3">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/render.go (71.4%)</option>
+				
+				<option value="file4">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/server.go (79.4%)</option>
+				
+				</select>
+			</div>
+			<div id="legend">
+				<span>not tracked</span>
+			
+				<span class="cov0">no coverage</span>
+				<span class="cov1">low coverage</span>
+				<span class="cov2">*</span>
+				<span class="cov3">*</span>
+				<span class="cov4">*</span>
+				<span class="cov5">*</span>
+				<span class="cov6">*</span>
+				<span class="cov7">*</span>
+				<span class="cov8">*</span>
+				<span class="cov9">*</span>
+				<span class="cov10">high coverage</span>
+			
+			</div>
+		</div>
+		<div id="content">
+		
+		<pre class="file" id="file0" style="display: none">package main
+
+import (
+        "context"
+        "errors"
+        "flag"
+        "fmt"
+        "log/slog"
+        "net"
+        "os"
+        "os/signal"
+        "strings"
+        "syscall"
+        "text/tabwriter"
+        "time"
+
+        "google.golang.org/grpc"
+        "google.golang.org/grpc/credentials/insecure"
+
+        "github.com/malbeclabs/doublezero/controlplane/controller/internal/controller"
+        pb "github.com/malbeclabs/doublezero/controlplane/proto/controller/gen/pb-go"
+)
+
+var (
+        // set by LDFLAGS
+        version = "dev"
+        commit  = "none"
+        date    = "unknown"
+)
+
+type Runner interface {
+        Init([]string) error
+        Run() error
+        Name() string
+        Fs() *flag.FlagSet
+        Description() string
+}
+
+func NewAgentCommand() *AgentCommand <span class="cov0" title="0">{
+        a := &amp;AgentCommand{
+                fs:          flag.NewFlagSet("agent", flag.ExitOnError),
+                description: "command set for interacting with controller",
+        }
+        a.fs.StringVar(&amp;a.pubkey, "device-pubkey", "", "pubkey of device which to fetch config")
+        a.fs.StringVar(&amp;a.controllerAddr, "controller-addr", "localhost", "listening address of controller")
+        a.fs.StringVar(&amp;a.controllerPort, "controller-port", "443", "listening port of controller")
+        a.fs.StringVar(&amp;a.unknownPeers, "unknown-peers", "", "comma separated list of unknown peers to remove from config")
+        return a
+}</span>
+
+type AgentCommand struct {
+        fs             *flag.FlagSet
+        description    string
+        pubkey         string
+        controllerAddr string
+        controllerPort string
+        unknownPeers   string
+}
+
+func (a *AgentCommand) Fs() *flag.FlagSet <span class="cov0" title="0">{
+        return a.fs
+}</span>
+
+func (a *AgentCommand) Name() string <span class="cov0" title="0">{
+        return a.fs.Name()
+}</span>
+
+func (a *AgentCommand) Description() string <span class="cov0" title="0">{
+        return a.description
+}</span>
+
+func (a *AgentCommand) Init(args []string) error <span class="cov0" title="0">{
+        return a.fs.Parse(args)
+}</span>
+
+func (a *AgentCommand) Run() error <span class="cov0" title="0">{
+        target := net.JoinHostPort(a.controllerAddr, a.controllerPort)
+
+        ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+        opts := []grpc.DialOption{
+                grpc.WithTransportCredentials(insecure.NewCredentials()),
+        }
+        conn, err := grpc.NewClient(target, opts...)
+        if err != nil </span><span class="cov0" title="0">{
+                slog.Error("error creating controller client", "error", err)
+                os.Exit(1)
+        }</span>
+        <span class="cov0" title="0">defer conn.Close()
+        defer cancel()
+
+        unknownPeers := []string{}
+        if a.unknownPeers != "" </span><span class="cov0" title="0">{
+                unknownPeers = append(unknownPeers, strings.Split(a.unknownPeers, ",")...)
+        }</span>
+        <span class="cov0" title="0">agent := pb.NewControllerClient(conn)
+        got, err := agent.GetConfig(ctx, &amp;pb.ConfigRequest{Pubkey: a.pubkey, BgpPeers: unknownPeers})
+        if err != nil </span><span class="cov0" title="0">{
+                slog.Error("error while fetching config", "error", err)
+                os.Exit(1)
+        }</span>
+        <span class="cov0" title="0">fmt.Println(got.Config)
+        return nil</span>
+}
+
+func NewControllerCommand() *ControllerCommand <span class="cov0" title="0">{
+        c := &amp;ControllerCommand{
+                fs:          flag.NewFlagSet("start", flag.ExitOnError),
+                description: "command set for starting controller",
+        }
+        c.fs.StringVar(&amp;c.listenAddr, "listen-addr", "localhost", "listening address for controller grpc server")
+        c.fs.StringVar(&amp;c.listenPort, "listen-port", "443", "listening port for controller grpc server")
+        c.fs.StringVar(&amp;c.programId, "program-id", "", "smartcontract program id to monitor")
+        c.fs.StringVar(&amp;c.rpcEndpoint, "solana-rpc-endpoint", "", "override solana rpc endpoint (default: devnet)")
+        c.fs.BoolVar(&amp;c.noHardware, "no-hardware", false, "exclude config commands that will fail when not running on the real hardware")
+        c.fs.BoolVar(&amp;c.showVersion, "version", false, "show version information and exit")
+        return c
+}</span>
+
+type ControllerCommand struct {
+        fs          *flag.FlagSet
+        description string
+        listenAddr  string
+        listenPort  string
+        programId   string
+        rpcEndpoint string
+        noHardware  bool
+        showVersion bool
+}
+
+func (c *ControllerCommand) Fs() *flag.FlagSet <span class="cov0" title="0">{
+        return c.fs
+}</span>
+
+func (c *ControllerCommand) Name() string <span class="cov0" title="0">{
+        return c.fs.Name()
+}</span>
+
+func (c *ControllerCommand) Description() string <span class="cov0" title="0">{
+        return c.description
+}</span>
+
+func (c *ControllerCommand) Init(args []string) error <span class="cov0" title="0">{
+        return c.fs.Parse(args)
+}</span>
+
+func (c *ControllerCommand) Run() error <span class="cov0" title="0">{
+        if c.showVersion </span><span class="cov0" title="0">{
+                fmt.Printf("version: %s, commit: %s, date: %s\n", version, commit, date)
+                os.Exit(0)
+        }</span>
+
+        // set build info prometheus metric
+        <span class="cov0" title="0">controller.BuildInfo.WithLabelValues(version, commit, date).Set(1)
+
+        // start controller
+        ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+        defer stop()
+
+        options := []controller.Option{}
+        if c.programId != "" </span><span class="cov0" title="0">{
+                options = append(options, controller.WithProgramId(c.programId))
+        }</span>
+
+        <span class="cov0" title="0">if c.rpcEndpoint != "" </span><span class="cov0" title="0">{
+                options = append(options, controller.WithRpcEndpoint(c.rpcEndpoint))
+        }</span>
+
+        <span class="cov0" title="0">if c.noHardware </span><span class="cov0" title="0">{
+                options = append(options, controller.WithNoHardware())
+        }</span>
+
+        <span class="cov0" title="0">lis, err := net.Listen("tcp", net.JoinHostPort(c.listenAddr, c.listenPort))
+        if err != nil </span><span class="cov0" title="0">{
+                slog.Error("failed to listen", "error", err)
+                os.Exit(1)
+        }</span>
+        <span class="cov0" title="0">options = append(options, controller.WithListener(lis))
+        control, err := controller.NewController(options...)
+        if err != nil </span><span class="cov0" title="0">{
+                slog.Error("error creating controller", "error", err)
+                os.Exit(1)
+        }</span>
+
+        <span class="cov0" title="0">slog.Log(ctx, slog.LevelInfo, fmt.Sprintf("starting controller on %s", net.JoinHostPort(c.listenAddr, c.listenPort)))
+        if err := control.Run(ctx); err != nil </span><span class="cov0" title="0">{
+                slog.Error("runtime error", "error", err)
+                os.Exit(1)
+        }</span>
+        <span class="cov0" title="0">return nil</span>
+}
+
+func root(args []string) error <span class="cov0" title="0">{
+        cmds := []Runner{
+                NewAgentCommand(),
+                NewControllerCommand(),
+        }
+
+        flag.Usage = func() </span><span class="cov0" title="0">{
+                fmt.Fprintf(os.Stderr, "\nUsage:\n\n")
+                w := tabwriter.NewWriter(os.Stderr, 0, 0, 3, ' ', 0)
+                for _, cmd := range cmds </span><span class="cov0" title="0">{
+                        fmt.Fprintf(w, "\t%s\t%s\t\n", cmd.Name(), cmd.Description())
+                }</span>
+                <span class="cov0" title="0">w.Flush()</span>
+        }
+
+        <span class="cov0" title="0">if len(args) &lt; 1 </span><span class="cov0" title="0">{
+                return errors.New("error: you must pass a sub-command")
+        }</span>
+
+        <span class="cov0" title="0">subcommand := os.Args[1]
+
+        for _, cmd := range cmds </span><span class="cov0" title="0">{
+                if cmd.Name() == subcommand </span><span class="cov0" title="0">{
+                        cmd.Init(os.Args[2:]) // nolint:all
+                        return cmd.Run()
+                }</span>
+        }
+
+        <span class="cov0" title="0">return fmt.Errorf("unknown subcommand: %s", subcommand)</span>
+}
+
+func main() <span class="cov0" title="0">{
+
+        opts := &amp;slog.HandlerOptions{}
+        logger := slog.New(slog.NewJSONHandler(os.Stdout, opts))
+        slog.SetDefault(logger)
+
+        if err := root(os.Args[1:]); err != nil </span><span class="cov0" title="0">{
+                fmt.Println(err)
+                flag.Usage()
+                os.Exit(1)
+        }</span>
+        <span class="cov0" title="0">flag.Parse()</span>
+}
+</pre>
+		
+		<pre class="file" id="file1" style="display: none">package controller
+
+import (
+        "github.com/prometheus/client_golang/prometheus"
+)
+
+var (
+        BuildInfo = prometheus.NewGaugeVec(prometheus.GaugeOpts{
+                Name: "controller_build_info",
+                Help: "Build information of the agent",
+        },
+                []string{"version", "commit", "date"},
+        )
+
+        // gRPC metrics
+        getConfigPubkeyErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
+                Name: "controller_grpc_getconfig_pubkey_errors_total",
+                Help: "The total number of missing pubkeys in cache",
+        },
+                []string{"pubkey"},
+        )
+
+        getConfigRenderErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
+                Name: "controller_grpc_getconfig_render_errors_total",
+                Help: "The total number of failed config renderings",
+        },
+                []string{"pubkey"},
+        )
+
+        getConfigOps = prometheus.NewCounterVec(prometheus.CounterOpts{
+                Name: "controller_grpc_getconfig_requests_total",
+                Help: "The total number of getconfig requests",
+        },
+                []string{"pubkey"},
+        )
+
+        // cache update metrics
+        cacheUpdateErrors = prometheus.NewCounter(prometheus.CounterOpts{
+                Name: "controller_cache_update_errors_total",
+                Help: "The total number of cache update errors",
+        })
+
+        cacheUpdateFetchErrors = prometheus.NewCounter(prometheus.CounterOpts{
+                Name: "controller_cache_update_fetch_errors_total",
+                Help: "The total number of cache update errors from fetching on-chain data",
+        })
+
+        cacheUpdateOps = prometheus.NewCounter(prometheus.CounterOpts{
+                Name: "controller_cache_update_ops_total",
+                Help: "The total number of cache update ops",
+        })
+)
+
+func init() <span class="cov8" title="1">{
+        // build info
+        prometheus.MustRegister(BuildInfo)
+
+        // gRPC metrics
+        prometheus.MustRegister(getConfigPubkeyErrors)
+        prometheus.MustRegister(getConfigRenderErrors)
+        prometheus.MustRegister(getConfigOps)
+
+        // cache update metrics
+        prometheus.MustRegister(cacheUpdateErrors)
+        prometheus.MustRegister(cacheUpdateFetchErrors)
+        prometheus.MustRegister(cacheUpdateOps)
+}</span>
+</pre>
+		
+		<pre class="file" id="file2" style="display: none">package controller
+
+import (
+        "net"
+
+        "github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
+)
+
+var (
+        // maximum number of tunnels to provision on a given device
+        maxTunnelSlots     = 64
+        startUserTunnelNum = 500
+)
+
+type Device struct {
+        PubKey          string
+        PublicIP        net.IP
+        Vpn4vLoopbackIP net.IP
+        Tunnels         []*Tunnel
+        TunnelSlots     int
+        MgmtVrf         string
+        DnsServers      []net.IP
+        NtpServers      []net.IP
+        Interfaces      []serviceability.Interface
+}
+
+func NewDevice(ip net.IP, publicKey string) *Device <span class="cov3" title="5">{
+        tunnels := []*Tunnel{}
+        for i := 0; i &lt; maxTunnelSlots; i++ </span><span class="cov10" title="320">{
+                id := startUserTunnelNum + i
+                tunnel := &amp;Tunnel{
+                        Id:        id,
+                        Allocated: false,
+                }
+                tunnels = append(tunnels, tunnel)
+        }</span>
+        <span class="cov3" title="5">return &amp;Device{
+                PublicIP:    ip,
+                PubKey:      publicKey,
+                Tunnels:     tunnels,
+                TunnelSlots: maxTunnelSlots,
+        }</span>
+}
+
+func (d *Device) findTunnel(id int) *Tunnel <span class="cov3" title="6">{
+        for _, tunnel := range d.Tunnels </span><span class="cov4" title="9">{
+                if tunnel.Id == id </span><span class="cov3" title="6">{
+                        return tunnel
+                }</span>
+        }
+        <span class="cov0" title="0">return nil</span>
+}
+
+type Tunnel struct {
+        Id                    int
+        UnderlaySrcIP         net.IP
+        UnderlayDstIP         net.IP
+        OverlaySrcIP          net.IP // This needs to be derived based on the tunnel net
+        OverlayDstIP          net.IP // This needs to be derived based on the tunnel net
+        DzIp                  net.IP
+        PubKey                string
+        Allocated             bool
+        IsMulticast           bool
+        MulticastBoundaryList []net.IP
+        MulticastSubscribers  []net.IP
+        MulticastPublishers   []net.IP
+}
+
+type Vpnv4BgpPeer struct {
+        PeerIP    net.IP
+        PeerName  string
+        SourceInt string
+}
+
+type templateData struct {
+        Device                   *Device
+        Vpnv4BgpPeers            []Vpnv4BgpPeer
+        UnknownBgpPeers          []net.IP
+        MulticastGroupBlock      string
+        NoHardware               bool
+        TelemetryTWAMPListenPort int
+}
+</pre>
+		
+		<pre class="file" id="file3" style="display: none">package controller
+
+import (
+        "bytes"
+        "embed"
+        "fmt"
+        "text/template"
+)
+
+//go:embed templates/*
+var f embed.FS
+
+func renderConfig(data templateData) (string, error) <span class="cov10" title="14">{
+        t, err := template.New("tunnel.tmpl").ParseFS(f, "templates/tunnel.tmpl")
+        if err != nil </span><span class="cov0" title="0">{
+                return "", fmt.Errorf("error loading tunnel template: %v", err)
+        }</span>
+        <span class="cov10" title="14">var output bytes.Buffer
+        if err = t.Execute(&amp;output, data); err != nil </span><span class="cov0" title="0">{
+                return "", fmt.Errorf("error executing template: %v", err)
+        }</span>
+        <span class="cov10" title="14">return output.String(), nil</span>
+}
+</pre>
+		
+		<pre class="file" id="file4" style="display: none">package controller
+
+import (
+        "context"
+        "fmt"
+        "log/slog"
+        "net"
+        "net/http"
+        "sort"
+        "sync"
+        "time"
+
+        "github.com/gagliardetto/solana-go"
+        "github.com/gagliardetto/solana-go/rpc"
+        pb "github.com/malbeclabs/doublezero/controlplane/proto/controller/gen/pb-go"
+        telemetryconfig "github.com/malbeclabs/doublezero/controlplane/telemetry/pkg/config"
+        dzsdk "github.com/malbeclabs/doublezero/smartcontract/sdk/go"
+        "github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
+        "github.com/mr-tron/base58"
+        "github.com/prometheus/client_golang/prometheus/promhttp"
+        "google.golang.org/grpc"
+        "google.golang.org/grpc/codes"
+        "google.golang.org/grpc/status"
+)
+
+type accountFetcher interface {
+        GetProgramData(context.Context) (*serviceability.ProgramData, error)
+}
+
+type stateCache struct {
+        Config          serviceability.Config
+        Devices         map[string]*Device
+        MulticastGroups map[string]serviceability.MulticastGroup
+        Vpnv4BgpPeers   []Vpnv4BgpPeer
+}
+
+type Controller struct {
+        pb.UnimplementedControllerServer
+
+        cache stateCache
+        mu    sync.RWMutex
+        accountFetcher
+        listener    net.Listener
+        programId   string
+        rpcEndpoint string
+        noHardware  bool
+        updateDone  chan struct{}
+}
+
+type Option func(*Controller)
+
+func NewController(options ...Option) (*Controller, error) <span class="cov3" title="7">{
+        controller := &amp;Controller{
+                cache: stateCache{},
+        }
+        for _, o := range options </span><span class="cov5" title="17">{
+                o(controller)
+        }</span>
+        <span class="cov3" title="7">if controller.listener == nil </span><span class="cov0" title="0">{
+                lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", 443))
+                if err != nil </span><span class="cov0" title="0">{
+                        return nil, fmt.Errorf("failed to listen: %v", err)
+                }</span>
+                <span class="cov0" title="0">controller.listener = lis</span>
+        }
+        <span class="cov3" title="7">if controller.accountFetcher == nil </span><span class="cov2" title="2">{
+                if controller.programId == "" </span><span class="cov1" title="1">{
+                        controller.programId = serviceability.SERVICEABILITY_PROGRAM_ID_TESTNET
+                }</span>
+                <span class="cov2" title="2">programID, err := solana.PublicKeyFromBase58(controller.programId)
+                if err != nil </span><span class="cov0" title="0">{
+                        return nil, fmt.Errorf("invalid program id %s: %v", controller.programId, err)
+                }</span>
+                <span class="cov2" title="2">if controller.rpcEndpoint == "" </span><span class="cov1" title="1">{
+                        controller.rpcEndpoint = dzsdk.DZ_LEDGER_RPC_URL
+                }</span>
+                <span class="cov2" title="2">client := serviceability.New(rpc.New(controller.rpcEndpoint), programID)
+                controller.accountFetcher = client</span>
+        }
+        <span class="cov3" title="7">return controller, nil</span>
+}
+
+func WithAccountFetcher(f accountFetcher) Option <span class="cov3" title="5">{
+        return func(c *Controller) </span><span class="cov3" title="5">{
+                c.accountFetcher = f
+        }</span>
+}
+
+func WithProgramId(programId string) Option <span class="cov1" title="1">{
+        return func(c *Controller) </span><span class="cov1" title="1">{
+                c.programId = programId
+        }</span>
+}
+
+func WithRpcEndpoint(rpcEndpoint string) Option <span class="cov1" title="1">{
+        return func(c *Controller) </span><span class="cov1" title="1">{
+                c.rpcEndpoint = rpcEndpoint
+        }</span>
+}
+
+// WithListener provides a way to assign a custom listener for the gRPC server.
+// If no listener is passed, the controller will listen on localhost.
+func WithListener(listener net.Listener) Option <span class="cov3" title="7">{
+        return func(c *Controller) </span><span class="cov3" title="7">{
+                c.listener = listener
+        }</span>
+}
+
+// WithSignalChan provides a way to be signaled when the local state cache
+// has been updated. This is used for testing.
+func WithSignalChan(ch chan struct{}) Option <span class="cov2" title="3">{
+        return func(c *Controller) </span><span class="cov2" title="3">{
+                c.updateDone = ch
+        }</span>
+}
+
+// WithNoHardware provides a way to exclude rendering config commands that will fail when not
+// running on the real hardware.
+func WithNoHardware() Option <span class="cov0" title="0">{
+        return func(c *Controller) </span><span class="cov0" title="0">{
+                c.noHardware = true
+        }</span>
+}
+
+// updateStateCache fetches the latest on-chain data for devices/users and config. User accounts
+// are converted into a list of tunnels, stored under their respective device, and placed in a map,
+// keyed by the device's public key.
+func (c *Controller) updateStateCache(ctx context.Context) error <span class="cov3" title="5">{
+        data, err := c.accountFetcher.GetProgramData(ctx)
+        if err != nil </span><span class="cov0" title="0">{
+                cacheUpdateFetchErrors.Inc()
+                return fmt.Errorf("error while loading program data: %v", err)
+        }</span>
+
+        <span class="cov3" title="5">devices := data.Devices
+        if len(devices) == 0 </span><span class="cov0" title="0">{
+                return fmt.Errorf("0 devices found on-chain")
+        }</span>
+        <span class="cov3" title="5">users := data.Users
+        if len(users) == 0 </span><span class="cov1" title="1">{
+                slog.Debug("0 users found on-chain")
+        }</span>
+        <span class="cov3" title="5">cache := stateCache{
+                Config:          data.Config,
+                Devices:         make(map[string]*Device),
+                MulticastGroups: make(map[string]serviceability.MulticastGroup),
+        }
+
+        // build cache of devices
+        for _, device := range devices </span><span class="cov3" title="5">{
+                ip := net.IP(device.PublicIp[:])
+                if ip == nil </span><span class="cov0" title="0">{
+                        // TODO: metric
+                        slog.Error("invalid public ip for device", "device pubkey", device.PubKey)
+                        continue</span>
+                }
+                <span class="cov3" title="5">devicePubKey := base58.Encode(device.PubKey[:])
+                d := NewDevice(ip, devicePubKey)
+
+                d.MgmtVrf = device.MgmtVrf
+                d.Interfaces = device.Interfaces
+
+                // Build Vpnv4BgpPeers from device interfaces
+                for _, iface := range device.Interfaces </span><span class="cov3" title="4">{
+                        if iface.InterfaceType == serviceability.InterfaceTypeLoopback &amp;&amp;
+                                iface.LoopbackType == serviceability.LoopbackTypeVpnv4 </span><span class="cov3" title="4">{
+                                // Extract IP from IpNet
+                                ip := net.IP(iface.IpNet[:4])
+                                d.Vpn4vLoopbackIP = ip
+                                // TODO: raise an error if the IP is 0.0.0.0 (not set)
+                                peer := Vpnv4BgpPeer{
+                                        PeerIP:    ip,
+                                        PeerName:  device.Code,
+                                        SourceInt: iface.Name,
+                                }
+                                cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
+                        }</span>
+                }
+
+                <span class="cov3" title="5">if d.Vpn4vLoopbackIP == nil </span><span class="cov1" title="1">{
+                        slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "VPNv4 loopback interface found for device")
+                        continue</span>
+                }
+
+                <span class="cov3" title="4">if len(device.DnsServers) &gt; 0 </span><span class="cov1" title="1">{
+                        d.DnsServers = make([]net.IP, len(device.DnsServers))
+                        for i, dns := range device.DnsServers </span><span class="cov2" title="2">{
+                                d.DnsServers[i] = net.IP(dns[:])
+                        }</span>
+                }
+
+                <span class="cov3" title="4">if len(device.NtpServers) &gt; 0 </span><span class="cov1" title="1">{
+                        d.NtpServers = make([]net.IP, len(device.NtpServers))
+                        for i, ntp := range device.NtpServers </span><span class="cov2" title="2">{
+                                d.NtpServers[i] = net.IP(ntp[:])
+                        }</span>
+                }
+
+                <span class="cov3" title="4">cache.Devices[devicePubKey] = d</span>
+        }
+
+        // Build cache of multicast groups.
+        <span class="cov3" title="5">for _, group := range data.MulticastGroups </span><span class="cov2" title="3">{
+                cache.MulticastGroups[base58.Encode(group.PubKey[:])] = group
+        }</span>
+
+        // create user tunnels and add to the appropriate device
+        <span class="cov3" title="5">for _, user := range users </span><span class="cov3" title="7">{
+                if user.Status != serviceability.UserStatusActivated </span><span class="cov0" title="0">{
+                        continue</span>
+                }
+                <span class="cov3" title="7">devicePubKey := base58.Encode(user.DevicePubKey[:])
+                userPubKey := base58.Encode(user.PubKey[:])
+
+                // rules for validating on-chain user data
+                validUser := func() bool </span><span class="cov3" title="7">{
+                        if _, ok := cache.Devices[devicePubKey]; !ok </span><span class="cov1" title="1">{
+                                // TODO: add metric
+                                slog.Error("device pubkey could be found for activated user pubkey", "device pubkey", devicePubKey, "user pubkey", userPubKey)
+                                return false
+                        }</span>
+                        <span class="cov3" title="6">if user.TunnelId == 0 </span><span class="cov0" title="0">{
+                                slog.Error("tunnel id is not set for user", "user pubkey", userPubKey)
+                                return false
+                        }</span>
+                        <span class="cov3" title="6">if user.ClientIp == [4]byte{} </span><span class="cov0" title="0">{
+                                slog.Error("client ip is not set for user", "user pubkey", userPubKey)
+                                return false
+                        }</span>
+                        <span class="cov3" title="6">if user.TunnelNet[4] != 31 </span><span class="cov0" title="0">{
+                                slog.Error("tunnel network mask is not 31\n", "tunnel network mask", user.TunnelNet[4])
+                                return false
+                        }</span>
+                        <span class="cov3" title="6">return true</span>
+                }()
+
+                <span class="cov3" title="7">if !validUser </span><span class="cov1" title="1">{
+                        continue</span>
+                }
+
+                <span class="cov3" title="6">tunnel := cache.Devices[devicePubKey].findTunnel(int(user.TunnelId))
+                if tunnel == nil </span><span class="cov0" title="0">{
+                        slog.Error("unable to find tunnel slot %d on device %s for user %s\n", "tunnel slot", user.TunnelId, "device pubkey", devicePubKey, "user pubkey", userPubKey)
+                        continue</span>
+                }
+                <span class="cov3" title="6">tunnel.UnderlayDstIP = net.IP(user.ClientIp[:])
+                tunnel.UnderlaySrcIP = cache.Devices[devicePubKey].PublicIP
+
+                var overlaySrc [4]byte
+                copy(overlaySrc[:], user.TunnelNet[:4])
+                tunnel.OverlaySrcIP = net.IP(overlaySrc[:])
+
+                var overlayDst [4]byte
+                copy(overlayDst[:], user.TunnelNet[:4])
+                tunnel.OverlayDstIP = net.IP(overlayDst[:])
+                // the client is always the odd last octet; this should really be moved into the IP allocation logic
+                tunnel.OverlayDstIP[3]++
+
+                tunnel.DzIp = net.IP(user.DzIp[:])
+                tunnel.PubKey = userPubKey
+                tunnel.Allocated = true
+
+                if user.UserType == serviceability.UserTypeMulticast </span><span class="cov2" title="3">{
+                        tunnel.IsMulticast = true
+
+                        boundaryList := make(map[string]struct{})
+
+                        // Set multicast subscribers for the tunnel.
+                        for _, subscriber := range user.Subscribers </span><span class="cov2" title="3">{
+                                if subscriberIP, ok := cache.MulticastGroups[base58.Encode(subscriber[:])]; ok </span><span class="cov2" title="3">{
+                                        tunnel.MulticastSubscribers = append(tunnel.MulticastSubscribers, net.IP(subscriberIP.MulticastIp[:]))
+
+                                        boundaryList[net.IP(subscriberIP.MulticastIp[:]).String()] = struct{}{}
+                                }</span>
+                        }
+
+                        // Set multicast publishers for the tunnel.
+                        <span class="cov2" title="3">for _, publisher := range user.Publishers </span><span class="cov0" title="0">{
+                                if publisherIP, ok := cache.MulticastGroups[base58.Encode(publisher[:])]; ok </span><span class="cov0" title="0">{
+                                        tunnel.MulticastPublishers = append(tunnel.MulticastPublishers, net.IP(publisherIP.MulticastIp[:]))
+
+                                        boundaryList[net.IP(publisherIP.MulticastIp[:]).String()] = struct{}{}
+                                }</span>
+                        }
+
+                        // Set multicast boundary list for the tunnel.
+                        // This is the combined and deduplicated list of subscribers and publishers.
+                        <span class="cov2" title="3">for ip := range boundaryList </span><span class="cov2" title="3">{
+                                tunnel.MulticastBoundaryList = append(tunnel.MulticastBoundaryList, net.ParseIP(ip))
+                        }</span>
+                        <span class="cov2" title="3">sort.Slice(tunnel.MulticastBoundaryList, func(i, j int) bool </span><span class="cov0" title="0">{
+                                return tunnel.MulticastBoundaryList[i].String() &lt; tunnel.MulticastBoundaryList[j].String()
+                        }</span>)
+                }
+        }
+
+        // swap out state cache with new version
+        <span class="cov3" title="5">slog.Debug("updating state cache", "state cache", cache)
+        c.swapCache(cache)
+        return nil</span>
+}
+
+// swapCache atomically updates the local state cache with the latest copy and
+// if a signal channel is present, sends a notification.
+func (c *Controller) swapCache(cache stateCache) <span class="cov4" title="10">{
+        c.mu.Lock()
+        defer c.mu.Unlock()
+        c.cache = cache
+        if c.updateDone != nil </span><span class="cov2" title="3">{
+                c.updateDone &lt;- struct{}{}
+        }</span>
+}
+
+// Run starts a goroutine for updating the local state cache with on-chain
+// data and another for a gRPC server to service devices.
+func (c *Controller) Run(ctx context.Context) error <span class="cov2" title="3">{
+        // start prometheus
+        go func() </span><span class="cov2" title="3">{
+                mux := http.NewServeMux()
+                mux.Handle("/metrics", promhttp.Handler())
+                http.ListenAndServe("127.0.0.1:2112", mux) //nolint
+        }</span>()
+
+        // start on-chain fetcher
+        <span class="cov2" title="3">go func() </span><span class="cov2" title="3">{
+                slog.Info("starting fetch of on-chain data", "program-id", c.programId, "rpc-endpoint", c.rpcEndpoint)
+                if err := c.updateStateCache(ctx); err != nil </span><span class="cov0" title="0">{
+                        cacheUpdateErrors.Inc()
+                        slog.Error("error fetching accounts", "error", err)
+                }</span>
+                <span class="cov2" title="3">cacheUpdateOps.Inc()
+                ticker := time.NewTicker(10 * time.Second)
+                for </span><span class="cov2" title="3">{
+                        select </span>{
+                        case &lt;-ctx.Done():<span class="cov2" title="3">
+                                return</span>
+                        case &lt;-ticker.C:<span class="cov0" title="0">
+                                slog.Debug("updating state cache on clock tick")
+                                if err := c.updateStateCache(ctx); err != nil </span><span class="cov0" title="0">{
+                                        cacheUpdateErrors.Inc()
+                                        slog.Error("error fetching accounts", "error", err)
+                                }</span>
+                                <span class="cov0" title="0">cacheUpdateOps.Inc()</span>
+                        }
+                }
+        }()
+
+        // start gRPC server
+        <span class="cov2" title="3">server := grpc.NewServer()
+        pb.RegisterControllerServer(server, c)
+
+        errChan := make(chan error)
+        go func() </span><span class="cov2" title="3">{
+                if err := server.Serve(c.listener); err != nil </span><span class="cov0" title="0">{
+                        errChan &lt;- err
+                }</span>
+        }()
+
+        <span class="cov2" title="3">select </span>{
+        case &lt;-ctx.Done():<span class="cov2" title="3">
+                server.GracefulStop()
+                return nil</span>
+        case err := &lt;-errChan:<span class="cov0" title="0">
+                return err</span>
+        }
+
+}
+
+// GetConfig renders the latest device configuration based on cached device data
+func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.ConfigResponse, error) <span class="cov4" title="8">{
+        getConfigOps.WithLabelValues(req.GetPubkey()).Inc()
+        c.mu.RLock()
+        defer c.mu.RUnlock()
+        device, ok := c.cache.Devices[req.GetPubkey()]
+        if !ok </span><span class="cov0" title="0">{
+                getConfigPubkeyErrors.WithLabelValues(req.GetPubkey()).Inc()
+                err := status.Errorf(codes.NotFound, "pubkey %s not found", req.Pubkey)
+                return nil, err
+        }</span>
+
+        // compare peers from device to on-chain
+        <span class="cov4" title="8">peerFound := func(peer net.IP) bool </span><span class="cov4" title="8">{
+                for _, tun := range device.Tunnels </span><span class="cov10" title="450">{
+                        if tun.OverlayDstIP.Equal(peer) </span><span class="cov1" title="1">{
+                                return true
+                        }</span>
+                }
+                <span class="cov3" title="7">return false</span>
+        }
+
+        <span class="cov4" title="8">unknownPeers := []net.IP{}
+        for _, peer := range req.GetBgpPeers() </span><span class="cov4" title="8">{
+                ip := net.ParseIP(peer)
+                if ip == nil </span><span class="cov0" title="0">{
+                        continue</span>
+                }
+                <span class="cov4" title="8">if peerFound(ip) </span><span class="cov1" title="1">{
+                        continue</span>
+                }
+                // Only remove peers with addresses that DZ has assigned. This will avoid removal of contributor-configured peers like DIA.
+                <span class="cov3" title="7">if isIPInBlock(ip, c.cache.Config.UserTunnelBlock) || isIPInBlock(ip, c.cache.Config.TunnelTunnelBlock) </span><span class="cov2" title="3">{
+                        unknownPeers = append(unknownPeers, ip)
+                }</span>
+        }
+
+        <span class="cov4" title="8">if len(unknownPeers) != 0 </span><span class="cov2" title="2">{
+                slog.Error("device returned unknown peers", "device pubkey", req.GetPubkey(), "number of unknown peers", len(unknownPeers), "peers", unknownPeers)
+        }</span>
+
+        <span class="cov4" title="8">multicastGroupBlock := formatCIDR(&amp;c.cache.Config.MulticastGroupBlock)
+
+        data := templateData{
+                MulticastGroupBlock:      multicastGroupBlock,
+                Device:                   device,
+                Vpnv4BgpPeers:            c.cache.Vpnv4BgpPeers,
+                UnknownBgpPeers:          unknownPeers,
+                NoHardware:               c.noHardware,
+                TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
+        }
+
+        config, err := renderConfig(data)
+        if err != nil </span><span class="cov0" title="0">{
+                getConfigRenderErrors.WithLabelValues(req.GetPubkey()).Inc()
+                err := status.Errorf(codes.Aborted, "config rendering for pubkey %s failed: %v", req.Pubkey, err)
+                return nil, err
+        }</span>
+        <span class="cov4" title="8">return &amp;pb.ConfigResponse{Config: config}, nil</span>
+}
+
+// formatCIDR formats a 5-byte network block into CIDR notation
+func formatCIDR(b *[5]byte) string <span class="cov4" title="8">{
+        ip := net.IPv4(b[0], b[1], b[2], b[3])
+        mask := net.CIDRMask(int(b[4]), 32)
+        return (&amp;net.IPNet{IP: ip, Mask: mask}).String()
+}</span>
+
+// isIPInBlock checks if an IP address is within a 5-byte network block
+func isIPInBlock(ip net.IP, block [5]uint8) bool <span class="cov4" title="12">{
+        network := net.IPv4(block[0], block[1], block[2], block[3])
+        mask := net.CIDRMask(int(block[4]), 32)
+        ipNet := &amp;net.IPNet{IP: network, Mask: mask}
+        return ipNet.Contains(ip)
+}</span>
+</pre>
+		
+		</div>
+	</body>
+	<script>
+	(function() {
+		var files = document.getElementById('files');
+		var visible;
+		files.addEventListener('change', onChange, false);
+		function select(part) {
+			if (visible)
+				visible.style.display = 'none';
+			visible = document.getElementById(part);
+			if (!visible)
+				return;
+			files.value = part;
+			visible.style.display = 'block';
+			location.hash = part;
+		}
+		function onChange() {
+			select(files.value);
+			window.scrollTo(0, 0);
+		}
+		if (location.hash != "") {
+			select(location.hash.substr(1));
+		}
+		if (!visible) {
+			select("file0");
+		}
+	})();
+	</script>
+</html>

From c169c6f14f39becbd7a99d74ebb9e7d7965b3047 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Mon, 4 Aug 2025 20:14:54 +0000
Subject: [PATCH 09/18] Fix e2e tests

---
 controlplane/controller/q.html                | 978 ------------------
 .../doublezero_agent_config_user_added.tmpl   |   2 +
 .../doublezero_agent_config_user_removed.tmpl |   2 +
 .../doublezero_agent_config_user_added.tmpl   |   2 +
 .../doublezero_agent_config_user_removed.tmpl |   2 +
 .../doublezero_agent_config_user_added.tmpl   |   2 +
 .../doublezero_agent_config_user_removed.tmpl |   2 +
 .../doublezero_agent_config_user_added.tmpl   |   2 +
 .../doublezero_agent_config_user_removed.tmpl |   2 +
 e2e/internal/devnet/device.go                 |   1 -
 10 files changed, 16 insertions(+), 979 deletions(-)
 delete mode 100644 controlplane/controller/q.html

diff --git a/controlplane/controller/q.html b/controlplane/controller/q.html
deleted file mode 100644
index 139a37ba9..000000000
--- a/controlplane/controller/q.html
+++ /dev/null
@@ -1,978 +0,0 @@
-
-<!DOCTYPE html>
-<html>
-	<head>
-		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-		<title>controller: Go Coverage Report</title>
-		<style>
-			body {
-				background: black;
-				color: rgb(80, 80, 80);
-			}
-			body, pre, #legend span {
-				font-family: Menlo, monospace;
-				font-weight: bold;
-			}
-			#topbar {
-				background: black;
-				position: fixed;
-				top: 0; left: 0; right: 0;
-				height: 42px;
-				border-bottom: 1px solid rgb(80, 80, 80);
-			}
-			#content {
-				margin-top: 50px;
-			}
-			#nav, #legend {
-				float: left;
-				margin-left: 10px;
-			}
-			#legend {
-				margin-top: 12px;
-			}
-			#nav {
-				margin-top: 10px;
-			}
-			#legend span {
-				margin: 0 5px;
-			}
-			.cov0 { color: rgb(192, 0, 0) }
-.cov1 { color: rgb(128, 128, 128) }
-.cov2 { color: rgb(116, 140, 131) }
-.cov3 { color: rgb(104, 152, 134) }
-.cov4 { color: rgb(92, 164, 137) }
-.cov5 { color: rgb(80, 176, 140) }
-.cov6 { color: rgb(68, 188, 143) }
-.cov7 { color: rgb(56, 200, 146) }
-.cov8 { color: rgb(44, 212, 149) }
-.cov9 { color: rgb(32, 224, 152) }
-.cov10 { color: rgb(20, 236, 155) }
-
-		</style>
-	</head>
-	<body>
-		<div id="topbar">
-			<div id="nav">
-				<select id="files">
-				
-				<option value="file0">github.com/malbeclabs/doublezero/controlplane/controller/cmd/controller/main.go (0.0%)</option>
-				
-				<option value="file1">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/metrics.go (100.0%)</option>
-				
-				<option value="file2">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/models.go (90.0%)</option>
-				
-				<option value="file3">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/render.go (71.4%)</option>
-				
-				<option value="file4">github.com/malbeclabs/doublezero/controlplane/controller/internal/controller/server.go (79.4%)</option>
-				
-				</select>
-			</div>
-			<div id="legend">
-				<span>not tracked</span>
-			
-				<span class="cov0">no coverage</span>
-				<span class="cov1">low coverage</span>
-				<span class="cov2">*</span>
-				<span class="cov3">*</span>
-				<span class="cov4">*</span>
-				<span class="cov5">*</span>
-				<span class="cov6">*</span>
-				<span class="cov7">*</span>
-				<span class="cov8">*</span>
-				<span class="cov9">*</span>
-				<span class="cov10">high coverage</span>
-			
-			</div>
-		</div>
-		<div id="content">
-		
-		<pre class="file" id="file0" style="display: none">package main
-
-import (
-        "context"
-        "errors"
-        "flag"
-        "fmt"
-        "log/slog"
-        "net"
-        "os"
-        "os/signal"
-        "strings"
-        "syscall"
-        "text/tabwriter"
-        "time"
-
-        "google.golang.org/grpc"
-        "google.golang.org/grpc/credentials/insecure"
-
-        "github.com/malbeclabs/doublezero/controlplane/controller/internal/controller"
-        pb "github.com/malbeclabs/doublezero/controlplane/proto/controller/gen/pb-go"
-)
-
-var (
-        // set by LDFLAGS
-        version = "dev"
-        commit  = "none"
-        date    = "unknown"
-)
-
-type Runner interface {
-        Init([]string) error
-        Run() error
-        Name() string
-        Fs() *flag.FlagSet
-        Description() string
-}
-
-func NewAgentCommand() *AgentCommand <span class="cov0" title="0">{
-        a := &amp;AgentCommand{
-                fs:          flag.NewFlagSet("agent", flag.ExitOnError),
-                description: "command set for interacting with controller",
-        }
-        a.fs.StringVar(&amp;a.pubkey, "device-pubkey", "", "pubkey of device which to fetch config")
-        a.fs.StringVar(&amp;a.controllerAddr, "controller-addr", "localhost", "listening address of controller")
-        a.fs.StringVar(&amp;a.controllerPort, "controller-port", "443", "listening port of controller")
-        a.fs.StringVar(&amp;a.unknownPeers, "unknown-peers", "", "comma separated list of unknown peers to remove from config")
-        return a
-}</span>
-
-type AgentCommand struct {
-        fs             *flag.FlagSet
-        description    string
-        pubkey         string
-        controllerAddr string
-        controllerPort string
-        unknownPeers   string
-}
-
-func (a *AgentCommand) Fs() *flag.FlagSet <span class="cov0" title="0">{
-        return a.fs
-}</span>
-
-func (a *AgentCommand) Name() string <span class="cov0" title="0">{
-        return a.fs.Name()
-}</span>
-
-func (a *AgentCommand) Description() string <span class="cov0" title="0">{
-        return a.description
-}</span>
-
-func (a *AgentCommand) Init(args []string) error <span class="cov0" title="0">{
-        return a.fs.Parse(args)
-}</span>
-
-func (a *AgentCommand) Run() error <span class="cov0" title="0">{
-        target := net.JoinHostPort(a.controllerAddr, a.controllerPort)
-
-        ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-        opts := []grpc.DialOption{
-                grpc.WithTransportCredentials(insecure.NewCredentials()),
-        }
-        conn, err := grpc.NewClient(target, opts...)
-        if err != nil </span><span class="cov0" title="0">{
-                slog.Error("error creating controller client", "error", err)
-                os.Exit(1)
-        }</span>
-        <span class="cov0" title="0">defer conn.Close()
-        defer cancel()
-
-        unknownPeers := []string{}
-        if a.unknownPeers != "" </span><span class="cov0" title="0">{
-                unknownPeers = append(unknownPeers, strings.Split(a.unknownPeers, ",")...)
-        }</span>
-        <span class="cov0" title="0">agent := pb.NewControllerClient(conn)
-        got, err := agent.GetConfig(ctx, &amp;pb.ConfigRequest{Pubkey: a.pubkey, BgpPeers: unknownPeers})
-        if err != nil </span><span class="cov0" title="0">{
-                slog.Error("error while fetching config", "error", err)
-                os.Exit(1)
-        }</span>
-        <span class="cov0" title="0">fmt.Println(got.Config)
-        return nil</span>
-}
-
-func NewControllerCommand() *ControllerCommand <span class="cov0" title="0">{
-        c := &amp;ControllerCommand{
-                fs:          flag.NewFlagSet("start", flag.ExitOnError),
-                description: "command set for starting controller",
-        }
-        c.fs.StringVar(&amp;c.listenAddr, "listen-addr", "localhost", "listening address for controller grpc server")
-        c.fs.StringVar(&amp;c.listenPort, "listen-port", "443", "listening port for controller grpc server")
-        c.fs.StringVar(&amp;c.programId, "program-id", "", "smartcontract program id to monitor")
-        c.fs.StringVar(&amp;c.rpcEndpoint, "solana-rpc-endpoint", "", "override solana rpc endpoint (default: devnet)")
-        c.fs.BoolVar(&amp;c.noHardware, "no-hardware", false, "exclude config commands that will fail when not running on the real hardware")
-        c.fs.BoolVar(&amp;c.showVersion, "version", false, "show version information and exit")
-        return c
-}</span>
-
-type ControllerCommand struct {
-        fs          *flag.FlagSet
-        description string
-        listenAddr  string
-        listenPort  string
-        programId   string
-        rpcEndpoint string
-        noHardware  bool
-        showVersion bool
-}
-
-func (c *ControllerCommand) Fs() *flag.FlagSet <span class="cov0" title="0">{
-        return c.fs
-}</span>
-
-func (c *ControllerCommand) Name() string <span class="cov0" title="0">{
-        return c.fs.Name()
-}</span>
-
-func (c *ControllerCommand) Description() string <span class="cov0" title="0">{
-        return c.description
-}</span>
-
-func (c *ControllerCommand) Init(args []string) error <span class="cov0" title="0">{
-        return c.fs.Parse(args)
-}</span>
-
-func (c *ControllerCommand) Run() error <span class="cov0" title="0">{
-        if c.showVersion </span><span class="cov0" title="0">{
-                fmt.Printf("version: %s, commit: %s, date: %s\n", version, commit, date)
-                os.Exit(0)
-        }</span>
-
-        // set build info prometheus metric
-        <span class="cov0" title="0">controller.BuildInfo.WithLabelValues(version, commit, date).Set(1)
-
-        // start controller
-        ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-        defer stop()
-
-        options := []controller.Option{}
-        if c.programId != "" </span><span class="cov0" title="0">{
-                options = append(options, controller.WithProgramId(c.programId))
-        }</span>
-
-        <span class="cov0" title="0">if c.rpcEndpoint != "" </span><span class="cov0" title="0">{
-                options = append(options, controller.WithRpcEndpoint(c.rpcEndpoint))
-        }</span>
-
-        <span class="cov0" title="0">if c.noHardware </span><span class="cov0" title="0">{
-                options = append(options, controller.WithNoHardware())
-        }</span>
-
-        <span class="cov0" title="0">lis, err := net.Listen("tcp", net.JoinHostPort(c.listenAddr, c.listenPort))
-        if err != nil </span><span class="cov0" title="0">{
-                slog.Error("failed to listen", "error", err)
-                os.Exit(1)
-        }</span>
-        <span class="cov0" title="0">options = append(options, controller.WithListener(lis))
-        control, err := controller.NewController(options...)
-        if err != nil </span><span class="cov0" title="0">{
-                slog.Error("error creating controller", "error", err)
-                os.Exit(1)
-        }</span>
-
-        <span class="cov0" title="0">slog.Log(ctx, slog.LevelInfo, fmt.Sprintf("starting controller on %s", net.JoinHostPort(c.listenAddr, c.listenPort)))
-        if err := control.Run(ctx); err != nil </span><span class="cov0" title="0">{
-                slog.Error("runtime error", "error", err)
-                os.Exit(1)
-        }</span>
-        <span class="cov0" title="0">return nil</span>
-}
-
-func root(args []string) error <span class="cov0" title="0">{
-        cmds := []Runner{
-                NewAgentCommand(),
-                NewControllerCommand(),
-        }
-
-        flag.Usage = func() </span><span class="cov0" title="0">{
-                fmt.Fprintf(os.Stderr, "\nUsage:\n\n")
-                w := tabwriter.NewWriter(os.Stderr, 0, 0, 3, ' ', 0)
-                for _, cmd := range cmds </span><span class="cov0" title="0">{
-                        fmt.Fprintf(w, "\t%s\t%s\t\n", cmd.Name(), cmd.Description())
-                }</span>
-                <span class="cov0" title="0">w.Flush()</span>
-        }
-
-        <span class="cov0" title="0">if len(args) &lt; 1 </span><span class="cov0" title="0">{
-                return errors.New("error: you must pass a sub-command")
-        }</span>
-
-        <span class="cov0" title="0">subcommand := os.Args[1]
-
-        for _, cmd := range cmds </span><span class="cov0" title="0">{
-                if cmd.Name() == subcommand </span><span class="cov0" title="0">{
-                        cmd.Init(os.Args[2:]) // nolint:all
-                        return cmd.Run()
-                }</span>
-        }
-
-        <span class="cov0" title="0">return fmt.Errorf("unknown subcommand: %s", subcommand)</span>
-}
-
-func main() <span class="cov0" title="0">{
-
-        opts := &amp;slog.HandlerOptions{}
-        logger := slog.New(slog.NewJSONHandler(os.Stdout, opts))
-        slog.SetDefault(logger)
-
-        if err := root(os.Args[1:]); err != nil </span><span class="cov0" title="0">{
-                fmt.Println(err)
-                flag.Usage()
-                os.Exit(1)
-        }</span>
-        <span class="cov0" title="0">flag.Parse()</span>
-}
-</pre>
-		
-		<pre class="file" id="file1" style="display: none">package controller
-
-import (
-        "github.com/prometheus/client_golang/prometheus"
-)
-
-var (
-        BuildInfo = prometheus.NewGaugeVec(prometheus.GaugeOpts{
-                Name: "controller_build_info",
-                Help: "Build information of the agent",
-        },
-                []string{"version", "commit", "date"},
-        )
-
-        // gRPC metrics
-        getConfigPubkeyErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
-                Name: "controller_grpc_getconfig_pubkey_errors_total",
-                Help: "The total number of missing pubkeys in cache",
-        },
-                []string{"pubkey"},
-        )
-
-        getConfigRenderErrors = prometheus.NewCounterVec(prometheus.CounterOpts{
-                Name: "controller_grpc_getconfig_render_errors_total",
-                Help: "The total number of failed config renderings",
-        },
-                []string{"pubkey"},
-        )
-
-        getConfigOps = prometheus.NewCounterVec(prometheus.CounterOpts{
-                Name: "controller_grpc_getconfig_requests_total",
-                Help: "The total number of getconfig requests",
-        },
-                []string{"pubkey"},
-        )
-
-        // cache update metrics
-        cacheUpdateErrors = prometheus.NewCounter(prometheus.CounterOpts{
-                Name: "controller_cache_update_errors_total",
-                Help: "The total number of cache update errors",
-        })
-
-        cacheUpdateFetchErrors = prometheus.NewCounter(prometheus.CounterOpts{
-                Name: "controller_cache_update_fetch_errors_total",
-                Help: "The total number of cache update errors from fetching on-chain data",
-        })
-
-        cacheUpdateOps = prometheus.NewCounter(prometheus.CounterOpts{
-                Name: "controller_cache_update_ops_total",
-                Help: "The total number of cache update ops",
-        })
-)
-
-func init() <span class="cov8" title="1">{
-        // build info
-        prometheus.MustRegister(BuildInfo)
-
-        // gRPC metrics
-        prometheus.MustRegister(getConfigPubkeyErrors)
-        prometheus.MustRegister(getConfigRenderErrors)
-        prometheus.MustRegister(getConfigOps)
-
-        // cache update metrics
-        prometheus.MustRegister(cacheUpdateErrors)
-        prometheus.MustRegister(cacheUpdateFetchErrors)
-        prometheus.MustRegister(cacheUpdateOps)
-}</span>
-</pre>
-		
-		<pre class="file" id="file2" style="display: none">package controller
-
-import (
-        "net"
-
-        "github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
-)
-
-var (
-        // maximum number of tunnels to provision on a given device
-        maxTunnelSlots     = 64
-        startUserTunnelNum = 500
-)
-
-type Device struct {
-        PubKey          string
-        PublicIP        net.IP
-        Vpn4vLoopbackIP net.IP
-        Tunnels         []*Tunnel
-        TunnelSlots     int
-        MgmtVrf         string
-        DnsServers      []net.IP
-        NtpServers      []net.IP
-        Interfaces      []serviceability.Interface
-}
-
-func NewDevice(ip net.IP, publicKey string) *Device <span class="cov3" title="5">{
-        tunnels := []*Tunnel{}
-        for i := 0; i &lt; maxTunnelSlots; i++ </span><span class="cov10" title="320">{
-                id := startUserTunnelNum + i
-                tunnel := &amp;Tunnel{
-                        Id:        id,
-                        Allocated: false,
-                }
-                tunnels = append(tunnels, tunnel)
-        }</span>
-        <span class="cov3" title="5">return &amp;Device{
-                PublicIP:    ip,
-                PubKey:      publicKey,
-                Tunnels:     tunnels,
-                TunnelSlots: maxTunnelSlots,
-        }</span>
-}
-
-func (d *Device) findTunnel(id int) *Tunnel <span class="cov3" title="6">{
-        for _, tunnel := range d.Tunnels </span><span class="cov4" title="9">{
-                if tunnel.Id == id </span><span class="cov3" title="6">{
-                        return tunnel
-                }</span>
-        }
-        <span class="cov0" title="0">return nil</span>
-}
-
-type Tunnel struct {
-        Id                    int
-        UnderlaySrcIP         net.IP
-        UnderlayDstIP         net.IP
-        OverlaySrcIP          net.IP // This needs to be derived based on the tunnel net
-        OverlayDstIP          net.IP // This needs to be derived based on the tunnel net
-        DzIp                  net.IP
-        PubKey                string
-        Allocated             bool
-        IsMulticast           bool
-        MulticastBoundaryList []net.IP
-        MulticastSubscribers  []net.IP
-        MulticastPublishers   []net.IP
-}
-
-type Vpnv4BgpPeer struct {
-        PeerIP    net.IP
-        PeerName  string
-        SourceInt string
-}
-
-type templateData struct {
-        Device                   *Device
-        Vpnv4BgpPeers            []Vpnv4BgpPeer
-        UnknownBgpPeers          []net.IP
-        MulticastGroupBlock      string
-        NoHardware               bool
-        TelemetryTWAMPListenPort int
-}
-</pre>
-		
-		<pre class="file" id="file3" style="display: none">package controller
-
-import (
-        "bytes"
-        "embed"
-        "fmt"
-        "text/template"
-)
-
-//go:embed templates/*
-var f embed.FS
-
-func renderConfig(data templateData) (string, error) <span class="cov10" title="14">{
-        t, err := template.New("tunnel.tmpl").ParseFS(f, "templates/tunnel.tmpl")
-        if err != nil </span><span class="cov0" title="0">{
-                return "", fmt.Errorf("error loading tunnel template: %v", err)
-        }</span>
-        <span class="cov10" title="14">var output bytes.Buffer
-        if err = t.Execute(&amp;output, data); err != nil </span><span class="cov0" title="0">{
-                return "", fmt.Errorf("error executing template: %v", err)
-        }</span>
-        <span class="cov10" title="14">return output.String(), nil</span>
-}
-</pre>
-		
-		<pre class="file" id="file4" style="display: none">package controller
-
-import (
-        "context"
-        "fmt"
-        "log/slog"
-        "net"
-        "net/http"
-        "sort"
-        "sync"
-        "time"
-
-        "github.com/gagliardetto/solana-go"
-        "github.com/gagliardetto/solana-go/rpc"
-        pb "github.com/malbeclabs/doublezero/controlplane/proto/controller/gen/pb-go"
-        telemetryconfig "github.com/malbeclabs/doublezero/controlplane/telemetry/pkg/config"
-        dzsdk "github.com/malbeclabs/doublezero/smartcontract/sdk/go"
-        "github.com/malbeclabs/doublezero/smartcontract/sdk/go/serviceability"
-        "github.com/mr-tron/base58"
-        "github.com/prometheus/client_golang/prometheus/promhttp"
-        "google.golang.org/grpc"
-        "google.golang.org/grpc/codes"
-        "google.golang.org/grpc/status"
-)
-
-type accountFetcher interface {
-        GetProgramData(context.Context) (*serviceability.ProgramData, error)
-}
-
-type stateCache struct {
-        Config          serviceability.Config
-        Devices         map[string]*Device
-        MulticastGroups map[string]serviceability.MulticastGroup
-        Vpnv4BgpPeers   []Vpnv4BgpPeer
-}
-
-type Controller struct {
-        pb.UnimplementedControllerServer
-
-        cache stateCache
-        mu    sync.RWMutex
-        accountFetcher
-        listener    net.Listener
-        programId   string
-        rpcEndpoint string
-        noHardware  bool
-        updateDone  chan struct{}
-}
-
-type Option func(*Controller)
-
-func NewController(options ...Option) (*Controller, error) <span class="cov3" title="7">{
-        controller := &amp;Controller{
-                cache: stateCache{},
-        }
-        for _, o := range options </span><span class="cov5" title="17">{
-                o(controller)
-        }</span>
-        <span class="cov3" title="7">if controller.listener == nil </span><span class="cov0" title="0">{
-                lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", 443))
-                if err != nil </span><span class="cov0" title="0">{
-                        return nil, fmt.Errorf("failed to listen: %v", err)
-                }</span>
-                <span class="cov0" title="0">controller.listener = lis</span>
-        }
-        <span class="cov3" title="7">if controller.accountFetcher == nil </span><span class="cov2" title="2">{
-                if controller.programId == "" </span><span class="cov1" title="1">{
-                        controller.programId = serviceability.SERVICEABILITY_PROGRAM_ID_TESTNET
-                }</span>
-                <span class="cov2" title="2">programID, err := solana.PublicKeyFromBase58(controller.programId)
-                if err != nil </span><span class="cov0" title="0">{
-                        return nil, fmt.Errorf("invalid program id %s: %v", controller.programId, err)
-                }</span>
-                <span class="cov2" title="2">if controller.rpcEndpoint == "" </span><span class="cov1" title="1">{
-                        controller.rpcEndpoint = dzsdk.DZ_LEDGER_RPC_URL
-                }</span>
-                <span class="cov2" title="2">client := serviceability.New(rpc.New(controller.rpcEndpoint), programID)
-                controller.accountFetcher = client</span>
-        }
-        <span class="cov3" title="7">return controller, nil</span>
-}
-
-func WithAccountFetcher(f accountFetcher) Option <span class="cov3" title="5">{
-        return func(c *Controller) </span><span class="cov3" title="5">{
-                c.accountFetcher = f
-        }</span>
-}
-
-func WithProgramId(programId string) Option <span class="cov1" title="1">{
-        return func(c *Controller) </span><span class="cov1" title="1">{
-                c.programId = programId
-        }</span>
-}
-
-func WithRpcEndpoint(rpcEndpoint string) Option <span class="cov1" title="1">{
-        return func(c *Controller) </span><span class="cov1" title="1">{
-                c.rpcEndpoint = rpcEndpoint
-        }</span>
-}
-
-// WithListener provides a way to assign a custom listener for the gRPC server.
-// If no listener is passed, the controller will listen on localhost.
-func WithListener(listener net.Listener) Option <span class="cov3" title="7">{
-        return func(c *Controller) </span><span class="cov3" title="7">{
-                c.listener = listener
-        }</span>
-}
-
-// WithSignalChan provides a way to be signaled when the local state cache
-// has been updated. This is used for testing.
-func WithSignalChan(ch chan struct{}) Option <span class="cov2" title="3">{
-        return func(c *Controller) </span><span class="cov2" title="3">{
-                c.updateDone = ch
-        }</span>
-}
-
-// WithNoHardware provides a way to exclude rendering config commands that will fail when not
-// running on the real hardware.
-func WithNoHardware() Option <span class="cov0" title="0">{
-        return func(c *Controller) </span><span class="cov0" title="0">{
-                c.noHardware = true
-        }</span>
-}
-
-// updateStateCache fetches the latest on-chain data for devices/users and config. User accounts
-// are converted into a list of tunnels, stored under their respective device, and placed in a map,
-// keyed by the device's public key.
-func (c *Controller) updateStateCache(ctx context.Context) error <span class="cov3" title="5">{
-        data, err := c.accountFetcher.GetProgramData(ctx)
-        if err != nil </span><span class="cov0" title="0">{
-                cacheUpdateFetchErrors.Inc()
-                return fmt.Errorf("error while loading program data: %v", err)
-        }</span>
-
-        <span class="cov3" title="5">devices := data.Devices
-        if len(devices) == 0 </span><span class="cov0" title="0">{
-                return fmt.Errorf("0 devices found on-chain")
-        }</span>
-        <span class="cov3" title="5">users := data.Users
-        if len(users) == 0 </span><span class="cov1" title="1">{
-                slog.Debug("0 users found on-chain")
-        }</span>
-        <span class="cov3" title="5">cache := stateCache{
-                Config:          data.Config,
-                Devices:         make(map[string]*Device),
-                MulticastGroups: make(map[string]serviceability.MulticastGroup),
-        }
-
-        // build cache of devices
-        for _, device := range devices </span><span class="cov3" title="5">{
-                ip := net.IP(device.PublicIp[:])
-                if ip == nil </span><span class="cov0" title="0">{
-                        // TODO: metric
-                        slog.Error("invalid public ip for device", "device pubkey", device.PubKey)
-                        continue</span>
-                }
-                <span class="cov3" title="5">devicePubKey := base58.Encode(device.PubKey[:])
-                d := NewDevice(ip, devicePubKey)
-
-                d.MgmtVrf = device.MgmtVrf
-                d.Interfaces = device.Interfaces
-
-                // Build Vpnv4BgpPeers from device interfaces
-                for _, iface := range device.Interfaces </span><span class="cov3" title="4">{
-                        if iface.InterfaceType == serviceability.InterfaceTypeLoopback &amp;&amp;
-                                iface.LoopbackType == serviceability.LoopbackTypeVpnv4 </span><span class="cov3" title="4">{
-                                // Extract IP from IpNet
-                                ip := net.IP(iface.IpNet[:4])
-                                d.Vpn4vLoopbackIP = ip
-                                // TODO: raise an error if the IP is 0.0.0.0 (not set)
-                                peer := Vpnv4BgpPeer{
-                                        PeerIP:    ip,
-                                        PeerName:  device.Code,
-                                        SourceInt: iface.Name,
-                                }
-                                cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
-                        }</span>
-                }
-
-                <span class="cov3" title="5">if d.Vpn4vLoopbackIP == nil </span><span class="cov1" title="1">{
-                        slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "VPNv4 loopback interface found for device")
-                        continue</span>
-                }
-
-                <span class="cov3" title="4">if len(device.DnsServers) &gt; 0 </span><span class="cov1" title="1">{
-                        d.DnsServers = make([]net.IP, len(device.DnsServers))
-                        for i, dns := range device.DnsServers </span><span class="cov2" title="2">{
-                                d.DnsServers[i] = net.IP(dns[:])
-                        }</span>
-                }
-
-                <span class="cov3" title="4">if len(device.NtpServers) &gt; 0 </span><span class="cov1" title="1">{
-                        d.NtpServers = make([]net.IP, len(device.NtpServers))
-                        for i, ntp := range device.NtpServers </span><span class="cov2" title="2">{
-                                d.NtpServers[i] = net.IP(ntp[:])
-                        }</span>
-                }
-
-                <span class="cov3" title="4">cache.Devices[devicePubKey] = d</span>
-        }
-
-        // Build cache of multicast groups.
-        <span class="cov3" title="5">for _, group := range data.MulticastGroups </span><span class="cov2" title="3">{
-                cache.MulticastGroups[base58.Encode(group.PubKey[:])] = group
-        }</span>
-
-        // create user tunnels and add to the appropriate device
-        <span class="cov3" title="5">for _, user := range users </span><span class="cov3" title="7">{
-                if user.Status != serviceability.UserStatusActivated </span><span class="cov0" title="0">{
-                        continue</span>
-                }
-                <span class="cov3" title="7">devicePubKey := base58.Encode(user.DevicePubKey[:])
-                userPubKey := base58.Encode(user.PubKey[:])
-
-                // rules for validating on-chain user data
-                validUser := func() bool </span><span class="cov3" title="7">{
-                        if _, ok := cache.Devices[devicePubKey]; !ok </span><span class="cov1" title="1">{
-                                // TODO: add metric
-                                slog.Error("device pubkey could be found for activated user pubkey", "device pubkey", devicePubKey, "user pubkey", userPubKey)
-                                return false
-                        }</span>
-                        <span class="cov3" title="6">if user.TunnelId == 0 </span><span class="cov0" title="0">{
-                                slog.Error("tunnel id is not set for user", "user pubkey", userPubKey)
-                                return false
-                        }</span>
-                        <span class="cov3" title="6">if user.ClientIp == [4]byte{} </span><span class="cov0" title="0">{
-                                slog.Error("client ip is not set for user", "user pubkey", userPubKey)
-                                return false
-                        }</span>
-                        <span class="cov3" title="6">if user.TunnelNet[4] != 31 </span><span class="cov0" title="0">{
-                                slog.Error("tunnel network mask is not 31\n", "tunnel network mask", user.TunnelNet[4])
-                                return false
-                        }</span>
-                        <span class="cov3" title="6">return true</span>
-                }()
-
-                <span class="cov3" title="7">if !validUser </span><span class="cov1" title="1">{
-                        continue</span>
-                }
-
-                <span class="cov3" title="6">tunnel := cache.Devices[devicePubKey].findTunnel(int(user.TunnelId))
-                if tunnel == nil </span><span class="cov0" title="0">{
-                        slog.Error("unable to find tunnel slot %d on device %s for user %s\n", "tunnel slot", user.TunnelId, "device pubkey", devicePubKey, "user pubkey", userPubKey)
-                        continue</span>
-                }
-                <span class="cov3" title="6">tunnel.UnderlayDstIP = net.IP(user.ClientIp[:])
-                tunnel.UnderlaySrcIP = cache.Devices[devicePubKey].PublicIP
-
-                var overlaySrc [4]byte
-                copy(overlaySrc[:], user.TunnelNet[:4])
-                tunnel.OverlaySrcIP = net.IP(overlaySrc[:])
-
-                var overlayDst [4]byte
-                copy(overlayDst[:], user.TunnelNet[:4])
-                tunnel.OverlayDstIP = net.IP(overlayDst[:])
-                // the client is always the odd last octet; this should really be moved into the IP allocation logic
-                tunnel.OverlayDstIP[3]++
-
-                tunnel.DzIp = net.IP(user.DzIp[:])
-                tunnel.PubKey = userPubKey
-                tunnel.Allocated = true
-
-                if user.UserType == serviceability.UserTypeMulticast </span><span class="cov2" title="3">{
-                        tunnel.IsMulticast = true
-
-                        boundaryList := make(map[string]struct{})
-
-                        // Set multicast subscribers for the tunnel.
-                        for _, subscriber := range user.Subscribers </span><span class="cov2" title="3">{
-                                if subscriberIP, ok := cache.MulticastGroups[base58.Encode(subscriber[:])]; ok </span><span class="cov2" title="3">{
-                                        tunnel.MulticastSubscribers = append(tunnel.MulticastSubscribers, net.IP(subscriberIP.MulticastIp[:]))
-
-                                        boundaryList[net.IP(subscriberIP.MulticastIp[:]).String()] = struct{}{}
-                                }</span>
-                        }
-
-                        // Set multicast publishers for the tunnel.
-                        <span class="cov2" title="3">for _, publisher := range user.Publishers </span><span class="cov0" title="0">{
-                                if publisherIP, ok := cache.MulticastGroups[base58.Encode(publisher[:])]; ok </span><span class="cov0" title="0">{
-                                        tunnel.MulticastPublishers = append(tunnel.MulticastPublishers, net.IP(publisherIP.MulticastIp[:]))
-
-                                        boundaryList[net.IP(publisherIP.MulticastIp[:]).String()] = struct{}{}
-                                }</span>
-                        }
-
-                        // Set multicast boundary list for the tunnel.
-                        // This is the combined and deduplicated list of subscribers and publishers.
-                        <span class="cov2" title="3">for ip := range boundaryList </span><span class="cov2" title="3">{
-                                tunnel.MulticastBoundaryList = append(tunnel.MulticastBoundaryList, net.ParseIP(ip))
-                        }</span>
-                        <span class="cov2" title="3">sort.Slice(tunnel.MulticastBoundaryList, func(i, j int) bool </span><span class="cov0" title="0">{
-                                return tunnel.MulticastBoundaryList[i].String() &lt; tunnel.MulticastBoundaryList[j].String()
-                        }</span>)
-                }
-        }
-
-        // swap out state cache with new version
-        <span class="cov3" title="5">slog.Debug("updating state cache", "state cache", cache)
-        c.swapCache(cache)
-        return nil</span>
-}
-
-// swapCache atomically updates the local state cache with the latest copy and
-// if a signal channel is present, sends a notification.
-func (c *Controller) swapCache(cache stateCache) <span class="cov4" title="10">{
-        c.mu.Lock()
-        defer c.mu.Unlock()
-        c.cache = cache
-        if c.updateDone != nil </span><span class="cov2" title="3">{
-                c.updateDone &lt;- struct{}{}
-        }</span>
-}
-
-// Run starts a goroutine for updating the local state cache with on-chain
-// data and another for a gRPC server to service devices.
-func (c *Controller) Run(ctx context.Context) error <span class="cov2" title="3">{
-        // start prometheus
-        go func() </span><span class="cov2" title="3">{
-                mux := http.NewServeMux()
-                mux.Handle("/metrics", promhttp.Handler())
-                http.ListenAndServe("127.0.0.1:2112", mux) //nolint
-        }</span>()
-
-        // start on-chain fetcher
-        <span class="cov2" title="3">go func() </span><span class="cov2" title="3">{
-                slog.Info("starting fetch of on-chain data", "program-id", c.programId, "rpc-endpoint", c.rpcEndpoint)
-                if err := c.updateStateCache(ctx); err != nil </span><span class="cov0" title="0">{
-                        cacheUpdateErrors.Inc()
-                        slog.Error("error fetching accounts", "error", err)
-                }</span>
-                <span class="cov2" title="3">cacheUpdateOps.Inc()
-                ticker := time.NewTicker(10 * time.Second)
-                for </span><span class="cov2" title="3">{
-                        select </span>{
-                        case &lt;-ctx.Done():<span class="cov2" title="3">
-                                return</span>
-                        case &lt;-ticker.C:<span class="cov0" title="0">
-                                slog.Debug("updating state cache on clock tick")
-                                if err := c.updateStateCache(ctx); err != nil </span><span class="cov0" title="0">{
-                                        cacheUpdateErrors.Inc()
-                                        slog.Error("error fetching accounts", "error", err)
-                                }</span>
-                                <span class="cov0" title="0">cacheUpdateOps.Inc()</span>
-                        }
-                }
-        }()
-
-        // start gRPC server
-        <span class="cov2" title="3">server := grpc.NewServer()
-        pb.RegisterControllerServer(server, c)
-
-        errChan := make(chan error)
-        go func() </span><span class="cov2" title="3">{
-                if err := server.Serve(c.listener); err != nil </span><span class="cov0" title="0">{
-                        errChan &lt;- err
-                }</span>
-        }()
-
-        <span class="cov2" title="3">select </span>{
-        case &lt;-ctx.Done():<span class="cov2" title="3">
-                server.GracefulStop()
-                return nil</span>
-        case err := &lt;-errChan:<span class="cov0" title="0">
-                return err</span>
-        }
-
-}
-
-// GetConfig renders the latest device configuration based on cached device data
-func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.ConfigResponse, error) <span class="cov4" title="8">{
-        getConfigOps.WithLabelValues(req.GetPubkey()).Inc()
-        c.mu.RLock()
-        defer c.mu.RUnlock()
-        device, ok := c.cache.Devices[req.GetPubkey()]
-        if !ok </span><span class="cov0" title="0">{
-                getConfigPubkeyErrors.WithLabelValues(req.GetPubkey()).Inc()
-                err := status.Errorf(codes.NotFound, "pubkey %s not found", req.Pubkey)
-                return nil, err
-        }</span>
-
-        // compare peers from device to on-chain
-        <span class="cov4" title="8">peerFound := func(peer net.IP) bool </span><span class="cov4" title="8">{
-                for _, tun := range device.Tunnels </span><span class="cov10" title="450">{
-                        if tun.OverlayDstIP.Equal(peer) </span><span class="cov1" title="1">{
-                                return true
-                        }</span>
-                }
-                <span class="cov3" title="7">return false</span>
-        }
-
-        <span class="cov4" title="8">unknownPeers := []net.IP{}
-        for _, peer := range req.GetBgpPeers() </span><span class="cov4" title="8">{
-                ip := net.ParseIP(peer)
-                if ip == nil </span><span class="cov0" title="0">{
-                        continue</span>
-                }
-                <span class="cov4" title="8">if peerFound(ip) </span><span class="cov1" title="1">{
-                        continue</span>
-                }
-                // Only remove peers with addresses that DZ has assigned. This will avoid removal of contributor-configured peers like DIA.
-                <span class="cov3" title="7">if isIPInBlock(ip, c.cache.Config.UserTunnelBlock) || isIPInBlock(ip, c.cache.Config.TunnelTunnelBlock) </span><span class="cov2" title="3">{
-                        unknownPeers = append(unknownPeers, ip)
-                }</span>
-        }
-
-        <span class="cov4" title="8">if len(unknownPeers) != 0 </span><span class="cov2" title="2">{
-                slog.Error("device returned unknown peers", "device pubkey", req.GetPubkey(), "number of unknown peers", len(unknownPeers), "peers", unknownPeers)
-        }</span>
-
-        <span class="cov4" title="8">multicastGroupBlock := formatCIDR(&amp;c.cache.Config.MulticastGroupBlock)
-
-        data := templateData{
-                MulticastGroupBlock:      multicastGroupBlock,
-                Device:                   device,
-                Vpnv4BgpPeers:            c.cache.Vpnv4BgpPeers,
-                UnknownBgpPeers:          unknownPeers,
-                NoHardware:               c.noHardware,
-                TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
-        }
-
-        config, err := renderConfig(data)
-        if err != nil </span><span class="cov0" title="0">{
-                getConfigRenderErrors.WithLabelValues(req.GetPubkey()).Inc()
-                err := status.Errorf(codes.Aborted, "config rendering for pubkey %s failed: %v", req.Pubkey, err)
-                return nil, err
-        }</span>
-        <span class="cov4" title="8">return &amp;pb.ConfigResponse{Config: config}, nil</span>
-}
-
-// formatCIDR formats a 5-byte network block into CIDR notation
-func formatCIDR(b *[5]byte) string <span class="cov4" title="8">{
-        ip := net.IPv4(b[0], b[1], b[2], b[3])
-        mask := net.CIDRMask(int(b[4]), 32)
-        return (&amp;net.IPNet{IP: ip, Mask: mask}).String()
-}</span>
-
-// isIPInBlock checks if an IP address is within a 5-byte network block
-func isIPInBlock(ip net.IP, block [5]uint8) bool <span class="cov4" title="12">{
-        network := net.IPv4(block[0], block[1], block[2], block[3])
-        mask := net.CIDRMask(int(block[4]), 32)
-        ipNet := &amp;net.IPNet{IP: network, Mask: mask}
-        return ipNet.Contains(ip)
-}</span>
-</pre>
-		
-		</div>
-	</body>
-	<script>
-	(function() {
-		var files = document.getElementById('files');
-		var visible;
-		files.addEventListener('change', onChange, false);
-		function select(part) {
-			if (visible)
-				visible.style.display = 'none';
-			visible = document.getElementById(part);
-			if (!visible)
-				return;
-			files.value = part;
-			visible.style.display = 'block';
-			location.hash = part;
-		}
-		function onChange() {
-			select(files.value);
-			window.scrollTo(0, 0);
-		}
-		if (location.hash != "") {
-			select(location.hash.substr(1));
-		}
-		if (!visible) {
-			select("file0");
-		}
-	})();
-	</script>
-</html>
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
index 62d545da1..9572a1124 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
@@ -188,6 +188,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
index d5688bf3f..c4968913b 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
@@ -177,6 +177,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
index c1cf9b88d..dc2b8e42e 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
@@ -188,6 +188,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
index d5688bf3f..c4968913b 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
@@ -177,6 +177,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
index be06f75d7..335bbea46 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
@@ -200,6 +200,8 @@ router bgp 65342
    address-family ipv4
       neighbor 169.254.0.1 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
index d5688bf3f..c4968913b 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
@@ -177,6 +177,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
index 6902cfe89..8c587ed06 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
@@ -199,6 +199,8 @@ router bgp 65342
    address-family ipv4
       neighbor 169.254.0.1 activate
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
index d5688bf3f..c4968913b 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
@@ -177,6 +177,8 @@ router bgp 65342
    router-id 0.0.0.0
    address-family ipv4
    !
+   address-family vpn-ipv4
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/internal/devnet/device.go b/e2e/internal/devnet/device.go
index ca3fd794b..d2d069032 100644
--- a/e2e/internal/devnet/device.go
+++ b/e2e/internal/devnet/device.go
@@ -260,7 +260,6 @@ func (d *Device) Start(ctx context.Context) error {
 	commandArgs := []string{
 		"-controller", controllerAddr,
 		"-pubkey", onchainID,
-		"-verbose",
 	}
 
 	// Configure telemetry/metrics publisher keypair if set.

From d7b7c7be63b0ef15a504c9cb1b53aa9b191e2e92 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Tue, 5 Aug 2025 17:08:14 +0000
Subject: [PATCH 10/18] ipv4-only and msdp peers

---
 .../controller/fixtures/base.config.txt       | 15 ++++-
 .../controller/internal/controller/models.go  | 28 ++++-----
 .../internal/controller/render_test.go        | 25 ++++----
 .../controller/internal/controller/server.go  | 43 +++++++------
 .../internal/controller/server_test.go        | 62 ++++++++++++-------
 .../internal/controller/templates/tunnel.tmpl | 29 ++++++++-
 6 files changed, 129 insertions(+), 73 deletions(-)

diff --git a/controlplane/controller/internal/controller/fixtures/base.config.txt b/controlplane/controller/internal/controller/fixtures/base.config.txt
index 923516efa..7b11d8630 100644
--- a/controlplane/controller/internal/controller/fixtures/base.config.txt
+++ b/controlplane/controller/internal/controller/fixtures/base.config.txt
@@ -49,13 +49,20 @@ system control-plane
 !
 router bgp 65342
    router-id 14.14.14.14
+   no neighbor 12.12.12.12
+   neighbor 12.12.12.12 remote-as 65342
+   neighbor 12.12.12.12 next-hop-self
+   neighbor 12.12.12.12 update-source Loopback256
+   neighbor 12.12.12.12 description remote-dzd-ipv4
+   neighbor 12.12.12.12 send-community
    no neighbor 15.15.15.15
    neighbor 15.15.15.15 remote-as 65342
    neighbor 15.15.15.15 next-hop-self
    neighbor 15.15.15.15 update-source Loopback255
-   neighbor 15.15.15.15 description remote-device
+   neighbor 15.15.15.15 description remote-dzd-vpnv4
    neighbor 15.15.15.15 send-community
    address-family ipv4
+      neighbor 12.12.12.12 activate
       no neighbor 15.15.15.15 activate
    !
    address-family vpn-ipv4
@@ -87,3 +94,9 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 12.12.12.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description remote-dzd-ipv4
diff --git a/controlplane/controller/internal/controller/models.go b/controlplane/controller/internal/controller/models.go
index d8cc9ee36..48efc68c0 100644
--- a/controlplane/controller/internal/controller/models.go
+++ b/controlplane/controller/internal/controller/models.go
@@ -13,15 +13,15 @@ var (
 )
 
 type Device struct {
-	PubKey          string
-	PublicIP        net.IP
-	Vpn4vLoopbackIP net.IP
-	Tunnels         []*Tunnel
-	TunnelSlots     int
-	MgmtVrf         string
-	DnsServers      []net.IP
-	NtpServers      []net.IP
-	Interfaces      []serviceability.Interface
+	PubKey                string
+	PublicIP              net.IP
+	Vpn4vLoopbackIP       net.IP
+	Ip4vLoopbackIP        net.IP
+	Tunnels               []*Tunnel
+	TunnelSlots           int
+	Interfaces            []serviceability.Interface
+	Vpn4vLoopbackIntfName string
+	Ip4vLoopbackIntfName  string
 }
 
 func NewDevice(ip net.IP, publicKey string) *Device {
@@ -66,15 +66,15 @@ type Tunnel struct {
 	MulticastPublishers   []net.IP
 }
 
-type Vpnv4BgpPeer struct {
-	PeerIP    net.IP
-	PeerName  string
-	SourceInt string
+type BgpPeer struct {
+	PeerIP   net.IP
+	PeerName string
 }
 
 type templateData struct {
 	Device                   *Device
-	Vpnv4BgpPeers            []Vpnv4BgpPeer
+	Vpnv4BgpPeers            []BgpPeer
+	Ipv4BgpPeers             []BgpPeer
 	UnknownBgpPeers          []net.IP
 	MulticastGroupBlock      string
 	NoHardware               bool
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index f1f718117..c085c627c 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -365,15 +365,7 @@ func TestRenderConfig(t *testing.T) {
 				Device: &Device{
 					PublicIP:        net.IP{7, 7, 7, 7},
 					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
-					MgmtVrf:         "default",
-					DnsServers: []net.IP{
-						{8, 8, 8, 8},
-						{8, 8, 4, 4},
-					},
-					NtpServers: []net.IP{
-						{216, 240, 36, 24},  // 0.pool.ntp.org
-						{205, 233, 73, 201}, // 0.pool.ntp.org
-					},
+					Ip4vLoopbackIP:  net.IP{13, 13, 13, 13},
 					Interfaces: []serviceability.Interface{
 						{
 							Version:        serviceability.CurrentInterfaceVersion,
@@ -384,12 +376,19 @@ func TestRenderConfig(t *testing.T) {
 							NodeSegmentIdx: 15,
 						},
 					},
+					Vpn4vLoopbackIntfName: "Loopback255",
+					Ip4vLoopbackIntfName:  "Loopback256",
+				},
+				Vpnv4BgpPeers: []BgpPeer{
+					{
+						PeerIP:   net.IP{15, 15, 15, 15},
+						PeerName: "remote-dzd-vpnv4",
+					},
 				},
-				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+				Ipv4BgpPeers: []BgpPeer{
 					{
-						PeerIP:    net.IP{15, 15, 15, 15},
-						PeerName:  "remote-device",
-						SourceInt: "Loopback255",
+						PeerIP:   net.IP{12, 12, 12, 12},
+						PeerName: "remote-dzd-ipv4",
 					},
 				},
 			},
diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index ff16f31e6..4b89380a2 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -31,7 +31,8 @@ type stateCache struct {
 	Config          serviceability.Config
 	Devices         map[string]*Device
 	MulticastGroups map[string]serviceability.MulticastGroup
-	Vpnv4BgpPeers   []Vpnv4BgpPeer
+	Vpnv4BgpPeers   []BgpPeer
+	Ipv4BgpPeers    []BgpPeer
 }
 
 type Controller struct {
@@ -157,23 +158,34 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 		devicePubKey := base58.Encode(device.PubKey[:])
 		d := NewDevice(ip, devicePubKey)
 
-		d.MgmtVrf = device.MgmtVrf
 		d.Interfaces = device.Interfaces
 
-		// Build Vpnv4BgpPeers from device interfaces
+		// Build list of peers from device interfaces
 		for _, iface := range device.Interfaces {
 			if iface.InterfaceType == serviceability.InterfaceTypeLoopback &&
 				iface.LoopbackType == serviceability.LoopbackTypeVpnv4 {
 				// Extract IP from IpNet
 				ip := net.IP(iface.IpNet[:4])
-				d.Vpn4vLoopbackIP = ip
+				d.Vpn4vLoopbackIP = ip // Used to set router-id
+				d.Vpn4vLoopbackIntfName = iface.Name
 				// TODO: raise an error if the IP is 0.0.0.0 (not set)
-				peer := Vpnv4BgpPeer{
-					PeerIP:    ip,
-					PeerName:  device.Code,
-					SourceInt: iface.Name,
+				peer := BgpPeer{
+					PeerIP:   ip,
+					PeerName: device.Code,
 				}
 				cache.Vpnv4BgpPeers = append(cache.Vpnv4BgpPeers, peer)
+			} else if iface.InterfaceType == serviceability.InterfaceTypeLoopback &&
+				iface.LoopbackType == serviceability.LoopbackTypeIpv4 {
+				// Extract IP from IpNet
+				ip := net.IP(iface.IpNet[:4])
+				d.Ip4vLoopbackIP = ip // Used to set router-id
+				d.Ip4vLoopbackIntfName = iface.Name
+				// TODO: raise an error if the IP is 0.0.0.0 (not set)
+				peer := BgpPeer{
+					PeerIP:   ip,
+					PeerName: device.Code,
+				}
+				cache.Ipv4BgpPeers = append(cache.Ipv4BgpPeers, peer)
 			}
 		}
 
@@ -182,20 +194,6 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 			continue
 		}
 
-		if len(device.DnsServers) > 0 {
-			d.DnsServers = make([]net.IP, len(device.DnsServers))
-			for i, dns := range device.DnsServers {
-				d.DnsServers[i] = net.IP(dns[:])
-			}
-		}
-
-		if len(device.NtpServers) > 0 {
-			d.NtpServers = make([]net.IP, len(device.NtpServers))
-			for i, ntp := range device.NtpServers {
-				d.NtpServers[i] = net.IP(ntp[:])
-			}
-		}
-
 		cache.Devices[devicePubKey] = d
 	}
 
@@ -413,6 +411,7 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 		MulticastGroupBlock:      multicastGroupBlock,
 		Device:                   device,
 		Vpnv4BgpPeers:            c.cache.Vpnv4BgpPeers,
+		Ipv4BgpPeers:             c.cache.Ipv4BgpPeers,
 		UnknownBgpPeers:          unknownPeers,
 		NoHardware:               c.noHardware,
 		TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 035668af2..ba52ef255 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -340,19 +340,27 @@ func TestGetConfig(t *testing.T) {
 				Config: serviceability.Config{
 					MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
 				},
-				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+				Vpnv4BgpPeers: []BgpPeer{
 					{
-						PeerIP:    net.IP{15, 15, 15, 15},
-						PeerName:  "remote-device",
-						SourceInt: "Loopback255",
+						PeerIP:   net.IP{15, 15, 15, 15},
+						PeerName: "remote-dzd-vpnv4",
+					},
+				},
+				Ipv4BgpPeers: []BgpPeer{
+					{
+						PeerIP:   net.IP{12, 12, 12, 12},
+						PeerName: "remote-dzd-ipv4",
 					},
 				},
 				Devices: map[string]*Device{
 					"abc123": {
-						PublicIP:        net.IP{7, 7, 7, 7},
-						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
-						Tunnels:         []*Tunnel{},
-						TunnelSlots:     0,
+						PublicIP:              net.IP{7, 7, 7, 7},
+						Vpn4vLoopbackIP:       net.IP{14, 14, 14, 14},
+						Ip4vLoopbackIP:        net.IP{13, 13, 13, 13},
+						Vpn4vLoopbackIntfName: "Loopback255",
+						Ip4vLoopbackIntfName:  "Loopback256",
+						Tunnels:               []*Tunnel{},
+						TunnelSlots:           0,
 					},
 				},
 			},
@@ -488,14 +496,12 @@ func TestStateCache(t *testing.T) {
 							IpNet:         [5]uint8{14, 14, 14, 14, 32},
 							Name:          "Loopback255",
 						},
-					},
-					DnsServers: [][4]uint8{
-						{8, 8, 8, 8},
-						{8, 8, 4, 4},
-					},
-					NtpServers: [][4]uint8{
-						{162, 159, 200, 1},
-						{198, 137, 202, 56},
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeIpv4,
+							IpNet:         [5]uint8{12, 12, 12, 12, 32},
+							Name:          "Loopback256",
+						},
 					},
 					Status: serviceability.DeviceStatusActivated,
 					Code:   "abc01",
@@ -516,11 +522,16 @@ func TestStateCache(t *testing.T) {
 						},
 					},
 				},
-				Vpnv4BgpPeers: []Vpnv4BgpPeer{
+				Vpnv4BgpPeers: []BgpPeer{
+					{
+						PeerIP:   net.IP{14, 14, 14, 14},
+						PeerName: "abc01",
+					},
+				},
+				Ipv4BgpPeers: []BgpPeer{
 					{
-						PeerIP:    net.IP{14, 14, 14, 14},
-						PeerName:  "abc01",
-						SourceInt: "Loopback255",
+						PeerIP:   net.IP{12, 12, 12, 12},
+						PeerName: "abc01",
 					},
 				},
 				Devices: map[string]*Device{
@@ -528,6 +539,7 @@ func TestStateCache(t *testing.T) {
 						PubKey:          "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
 						PublicIP:        net.IP{2, 2, 2, 2},
 						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
+						Ip4vLoopbackIP:  net.IP{12, 12, 12, 12},
 						Tunnels: []*Tunnel{
 							{
 								Id:            500,
@@ -620,8 +632,6 @@ func TestStateCache(t *testing.T) {
 							{Id: 563},
 						},
 						TunnelSlots: 64,
-						DnsServers:  []net.IP{{8, 8, 8, 8}, {8, 8, 4, 4}},
-						NtpServers:  []net.IP{{162, 159, 200, 1}, {198, 137, 202, 56}},
 						Interfaces: []serviceability.Interface{
 							{
 								InterfaceType: serviceability.InterfaceTypeLoopback,
@@ -629,7 +639,15 @@ func TestStateCache(t *testing.T) {
 								IpNet:         [5]uint8{14, 14, 14, 14, 32},
 								Name:          "Loopback255",
 							},
+							{
+								InterfaceType: serviceability.InterfaceTypeLoopback,
+								LoopbackType:  serviceability.LoopbackTypeIpv4,
+								IpNet:         [5]uint8{12, 12, 12, 12, 32},
+								Name:          "Loopback256",
+							},
 						},
+						Vpn4vLoopbackIntfName: "Loopback255",
+						Ip4vLoopbackIntfName:  "Loopback256",
 					},
 				},
 			},
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index 9d3507c9f..f8e220a6d 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -85,12 +85,22 @@ interface Tunnel{{ .Id }}
 {{- end }}
 router bgp 65342
    router-id {{ .Device.Vpn4vLoopbackIP }}
+   {{- range .Ipv4BgpPeers }}
+   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+   no neighbor {{ .PeerIP }}
+   neighbor {{ .PeerIP }} remote-as 65342
+   neighbor {{ .PeerIP }} next-hop-self
+   neighbor {{ .PeerIP }} update-source {{ $.Device.Ip4vLoopbackIntfName }}
+   neighbor {{ .PeerIP }} description {{ .PeerName }}
+   neighbor {{ .PeerIP }} send-community
+   {{- end }}
+   {{- end }}
    {{- range .Vpnv4BgpPeers }}
    {{- if ne .PeerIP.String $.Device.Vpn4vLoopbackIP.String }}
    no neighbor {{ .PeerIP }}
    neighbor {{ .PeerIP }} remote-as 65342
    neighbor {{ .PeerIP }} next-hop-self
-   neighbor {{ .PeerIP }} update-source {{ .SourceInt }}
+   neighbor {{ .PeerIP }} update-source {{ $.Device.Vpn4vLoopbackIntfName }}
    neighbor {{ .PeerIP }} description {{ .PeerName }}
    neighbor {{ .PeerIP }} send-community
    {{- end }}
@@ -113,6 +123,11 @@ router bgp 65342
       neighbor {{ .OverlayDstIP }} activate
    {{- end }}
    {{- end }}
+   {{- range .Ipv4BgpPeers }}
+   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+      neighbor {{ .PeerIP }} activate
+   {{- end }}
+   {{- end }}
    {{- range .Vpnv4BgpPeers }}
    {{- if ne .PeerIP.String $.Device.Vpn4vLoopbackIP.String }}
       no neighbor {{ .PeerIP }} activate
@@ -216,3 +231,15 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+{{- if .Ipv4BgpPeers }}
+no router msdp
+router msdp
+   {{- range .Ipv4BgpPeers }}
+   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+   peer {{ .PeerIP }}
+      mesh-group DZ-1
+      local-interface {{ $.Device.Ip4vLoopbackIntfName }}
+      description {{ .PeerName }}
+   {{- end }}
+   {{- end }}
+{{- end }}

From 32fd3e9b2c684bd8dacbe54c83a8512d9bbfe97d Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Tue, 5 Aug 2025 20:07:47 +0000
Subject: [PATCH 11/18] Update e2e to handle vpnv4 bgp peers

---
 e2e/README.md                                 |  2 +
 e2e/device_telemetry_test.go                  | 21 ++++--
 .../doublezero_agent_config_user_added.tmpl   | 58 +++++++++++++++-
 .../doublezero_agent_config_user_removed.tmpl | 58 +++++++++++++++-
 .../doublezero_agent_config_user_added.tmpl   | 58 +++++++++++++++-
 .../doublezero_agent_config_user_removed.tmpl | 58 +++++++++++++++-
 .../doublezero_agent_config_user_added.tmpl   | 69 ++++++++++++++++---
 .../doublezero_agent_config_user_removed.tmpl | 58 +++++++++++++++-
 .../doublezero_agent_config_user_added.tmpl   | 68 +++++++++++++++---
 .../doublezero_agent_config_user_removed.tmpl | 58 +++++++++++++++-
 e2e/ibrl_test.go                              |  4 +-
 e2e/internal/devnet/devnet.go                 |  6 +-
 e2e/multi_client_test.go                      |  2 +-
 e2e/sdk_device_telemetry_test.go              |  4 ++
 14 files changed, 486 insertions(+), 38 deletions(-)

diff --git a/e2e/README.md b/e2e/README.md
index 2c196eff8..6bb52e678 100644
--- a/e2e/README.md
+++ b/e2e/README.md
@@ -48,6 +48,8 @@ make test nobuild
 make test run=TestE2E_IBRL nobuild
 ```
 
+If you want the docker containers to keep running after the tests finish, set the `TESTCONTAINERS_RYUK_DISABLED` env var to `true`. You will need to manually clean up the containers when you're done with them.
+
 ## Topology
 
 Each test spins up a local devnet with all components running in containers, and internal CYOA networks for devices and clients.
diff --git a/e2e/device_telemetry_test.go b/e2e/device_telemetry_test.go
index 539e8a6f6..717e1b91a 100644
--- a/e2e/device_telemetry_test.go
+++ b/e2e/device_telemetry_test.go
@@ -102,8 +102,11 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "la2-dz01")
-		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
+		err = dn.CreateDeviceLoopbackInterface(t.Context(), "la2-dz01", "Loopback255", "vpnv4")
+		require.NoError(t, err, "failed to create loopback interface %s of type %s for device %s: %w", "Loopback255", "vpnv4", "la2-dz01", err)
+
+		err = dn.CreateDeviceLoopbackInterface(t.Context(), "la2-dz01", "Loopback256", "ipv4")
+		require.NoError(t, err, "failed to create loopback interface %s of type %s for device %s: %w", "Loopback256", "ipv4", "la2-dz01", err)
 
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
@@ -142,8 +145,11 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), "ny5-dz01")
-		require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", "la2-dz01", err)
+		err = dn.CreateDeviceLoopbackInterface(t.Context(), "ny5-dz01", "Loopback255", "vpnv4")
+		require.NoError(t, err, "error", err)
+
+		err = dn.CreateDeviceLoopbackInterface(t.Context(), "ny5-dz01", "Loopback256", "ipv4")
+		require.NoError(t, err, "error", err)
 
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
@@ -177,6 +183,13 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 			doublezero device interface create ty2-dz01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
+
+			doublezero device interface create ld4-dz01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create frk-dz01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create sg1-dz01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create ty2-dz01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create pit-dzd01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create ams-dz001 "Loopback256" loopback --loopback-type ipv4
 	`})
 	require.NoError(t, err)
 
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
index 9572a1124..88f4e5598 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
@@ -185,10 +185,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
index c4968913b..6feec1a20 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
@@ -174,10 +174,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
index dc2b8e42e..fdfb63299 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
@@ -185,10 +185,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
index c4968913b..6feec1a20 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
@@ -174,10 +174,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
index 335bbea46..73d31491d 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
@@ -188,20 +188,67 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
-   no neighbor 169.254.0.1
-   neighbor 169.254.0.1 remote-as 65000
-   neighbor 169.254.0.1 passive
-   neighbor 169.254.0.1 description USER-500
-   neighbor 169.254.0.1 route-map RM-USER-500-IN in
-   neighbor 169.254.0.1 route-map RM-USER-500-OUT out
-   neighbor 169.254.0.1 maximum-routes 1
-   neighbor 169.254.0.1 maximum-accepted-routes 1
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
-      neighbor 169.254.0.1 activate
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
-   !
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
+    !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
index c4968913b..6feec1a20 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
@@ -174,10 +174,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
index 8c587ed06..87180fc27 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
@@ -186,20 +186,66 @@ default interface Tunnel562
 !
 default interface Tunnel563
 !
-router bgp 65342
-   router-id 0.0.0.0
-   no neighbor 169.254.0.1
-   neighbor 169.254.0.1 remote-as 65000
-   neighbor 169.254.0.1 passive
-   neighbor 169.254.0.1 description USER-500
-   neighbor 169.254.0.1 route-map RM-USER-500-IN in
-   neighbor 169.254.0.1 route-map RM-USER-500-OUT out
-   neighbor 169.254.0.1 maximum-routes 1
-   neighbor 169.254.0.1 maximum-accepted-routes 1
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
-      neighbor 169.254.0.1 activate
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
index c4968913b..6feec1a20 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
@@ -174,10 +174,66 @@ default interface Tunnel562
 default interface Tunnel563
 !
 router bgp 65342
-   router-id 0.0.0.0
+   router-id 172.16.0.1
+   no neighbor 172.16.0.6
+   neighbor 172.16.0.6 remote-as 65342
+   neighbor 172.16.0.6 next-hop-self
+   neighbor 172.16.0.6 update-source Loopback255
+   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 send-community
+   no neighbor 172.16.0.3
+   neighbor 172.16.0.3 remote-as 65342
+   neighbor 172.16.0.3 next-hop-self
+   neighbor 172.16.0.3 update-source Loopback255
+   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 send-community
+   no neighbor 172.16.0.2
+   neighbor 172.16.0.2 remote-as 65342
+   neighbor 172.16.0.2 next-hop-self
+   neighbor 172.16.0.2 update-source Loopback255
+   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 send-community
+   no neighbor 172.16.0.5
+   neighbor 172.16.0.5 remote-as 65342
+   neighbor 172.16.0.5 next-hop-self
+   neighbor 172.16.0.5 update-source Loopback255
+   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 send-community
+   no neighbor 172.16.0.8
+   neighbor 172.16.0.8 remote-as 65342
+   neighbor 172.16.0.8 next-hop-self
+   neighbor 172.16.0.8 update-source Loopback255
+   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 send-community
+   no neighbor 172.16.0.4
+   neighbor 172.16.0.4 remote-as 65342
+   neighbor 172.16.0.4 next-hop-self
+   neighbor 172.16.0.4 update-source Loopback255
+   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 send-community
+   no neighbor 172.16.0.7
+   neighbor 172.16.0.7 remote-as 65342
+   neighbor 172.16.0.7 next-hop-self
+   neighbor 172.16.0.7 update-source Loopback255
+   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 send-community
    address-family ipv4
+      no neighbor 172.16.0.6 activate
+      no neighbor 172.16.0.3 activate
+      no neighbor 172.16.0.2 activate
+      no neighbor 172.16.0.5 activate
+      no neighbor 172.16.0.8 activate
+      no neighbor 172.16.0.4 activate
+      no neighbor 172.16.0.7 activate
    !
    address-family vpn-ipv4
+      neighbor 172.16.0.6 activate
+      neighbor 172.16.0.3 activate
+      neighbor 172.16.0.2 activate
+      neighbor 172.16.0.5 activate
+      neighbor 172.16.0.8 activate
+      neighbor 172.16.0.4 activate
+      neighbor 172.16.0.7 activate
    !
    vrf vrf1
       rd 65342:1
diff --git a/e2e/ibrl_test.go b/e2e/ibrl_test.go
index e77557b30..fcb4e51f4 100644
--- a/e2e/ibrl_test.go
+++ b/e2e/ibrl_test.go
@@ -51,7 +51,7 @@ func checkIBRLPostConnect(t *testing.T, dn *TestDevnet, device *devnet.Device, c
 	t.Run("check_post_connect", func(t *testing.T) {
 		dn.log.Info("==> Checking IBRL post-connect requirements")
 
-		if !t.Run("wait_for_agent_config_from_controller", func(t *testing.T) {
+		if !t.Run("wait_for_agent_config_from_controller_post_connect", func(t *testing.T) {
 			config, err := fixtures.Render("fixtures/ibrl/doublezero_agent_config_user_added.tmpl", map[string]string{
 				"ClientIP": client.CYOANetworkIP,
 				"DeviceIP": device.CYOANetworkIP,
@@ -228,7 +228,7 @@ func checkIBRLPostDisconnect(t *testing.T, dn *TestDevnet, device *devnet.Device
 	t.Run("check_post_disconnect", func(t *testing.T) {
 		dn.log.Info("==> Checking IBRL post-disconnect requirements")
 
-		if !t.Run("wait_for_agent_config_from_controller", func(t *testing.T) {
+		if !t.Run("wait_for_agent_config_from_controller_post_disconnect", func(t *testing.T) {
 			config, err := fixtures.Render("fixtures/ibrl/doublezero_agent_config_user_removed.tmpl", map[string]string{
 				"DeviceIP": device.CYOANetworkIP,
 			})
diff --git a/e2e/internal/devnet/devnet.go b/e2e/internal/devnet/devnet.go
index ce08633a5..6906c0e23 100644
--- a/e2e/internal/devnet/devnet.go
+++ b/e2e/internal/devnet/devnet.go
@@ -801,14 +801,14 @@ func generateKeypairIfNotExists(keypairPath string) (bool, error) {
 	return false, nil
 }
 
-func (d *Devnet) CreateDeviceVPNv4LoopbackInterface(ctx context.Context, deviceCode string) error {
+func (d *Devnet) CreateDeviceLoopbackInterface(ctx context.Context, deviceCode string, interfaceName string, loopbackType string) error {
 	d.log.Info("==> Creating VPNv4 loopback interface for device", "code", deviceCode)
 	d.onchainWriteMutex.Lock()
 	defer d.onchainWriteMutex.Unlock()
 
-	_, err := d.Manager.Exec(ctx, []string{"doublezero", "device", "interface", "create", deviceCode, "Loopback255", "loopback", "--loopback-type", "vpnv4"})
+	_, err := d.Manager.Exec(ctx, []string{"doublezero", "device", "interface", "create", deviceCode, interfaceName, "loopback", "--loopback-type", loopbackType})
 	if err != nil {
-		return fmt.Errorf("failed to create VPNv4 loopback interface for device %s: %w", deviceCode, err)
+		return fmt.Errorf("failed to create loopback interface %s of type %s for device %s: %w", interfaceName, loopbackType, deviceCode, err)
 	}
 
 	return nil
diff --git a/e2e/multi_client_test.go b/e2e/multi_client_test.go
index 3e4640939..35fd234a6 100644
--- a/e2e/multi_client_test.go
+++ b/e2e/multi_client_test.go
@@ -56,7 +56,7 @@ func TestE2E_MultiClient(t *testing.T) {
 	devicePK := device.ID
 	log.Info("--> Device added", "deviceCode", deviceCode, "devicePK", devicePK)
 
-	err = dn.CreateDeviceVPNv4LoopbackInterface(t.Context(), deviceCode)
+	err = dn.CreateDeviceLoopbackInterface(t.Context(), deviceCode, "Loopback255", "vpnv4")
 	require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", deviceCode, err)
 
 	// Wait for device to exist onchain.
diff --git a/e2e/sdk_device_telemetry_test.go b/e2e/sdk_device_telemetry_test.go
index 13ee5c9c5..4de5db0b9 100644
--- a/e2e/sdk_device_telemetry_test.go
+++ b/e2e/sdk_device_telemetry_test.go
@@ -73,6 +73,10 @@ func TestE2E_SDK_Telemetry_DeviceLatencySamples(t *testing.T) {
 		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
 
+		doublezero device interface create la2-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create ny5-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create ld4-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create frk-dz01 "Loopback256" loopback --loopback-type ipv4
 
 		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4

From f4f365f649fcd3ccb4c660b320daf9479c4d037f Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 01:46:50 +0000
Subject: [PATCH 12/18] Fix a typo; ibgp peers are not unknown

---
 .../controller/internal/controller/models.go  |  2 +-
 .../internal/controller/render_test.go        |  2 +-
 .../controller/internal/controller/server.go  | 33 +++++++++++++++++--
 .../internal/controller/server_test.go        | 22 +++++++++++--
 .../internal/controller/templates/tunnel.tmpl |  6 ++--
 5 files changed, 55 insertions(+), 10 deletions(-)

diff --git a/controlplane/controller/internal/controller/models.go b/controlplane/controller/internal/controller/models.go
index 48efc68c0..810b98dd5 100644
--- a/controlplane/controller/internal/controller/models.go
+++ b/controlplane/controller/internal/controller/models.go
@@ -16,7 +16,7 @@ type Device struct {
 	PubKey                string
 	PublicIP              net.IP
 	Vpn4vLoopbackIP       net.IP
-	Ip4vLoopbackIP        net.IP
+	Ipv4LoopbackIP        net.IP
 	Tunnels               []*Tunnel
 	TunnelSlots           int
 	Interfaces            []serviceability.Interface
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index c085c627c..49ceaf85a 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -365,7 +365,7 @@ func TestRenderConfig(t *testing.T) {
 				Device: &Device{
 					PublicIP:        net.IP{7, 7, 7, 7},
 					Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
-					Ip4vLoopbackIP:  net.IP{13, 13, 13, 13},
+					Ipv4LoopbackIP:  net.IP{13, 13, 13, 13},
 					Interfaces: []serviceability.Interface{
 						{
 							Version:        serviceability.CurrentInterfaceVersion,
diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index 4b89380a2..078c96770 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -178,7 +178,7 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 				iface.LoopbackType == serviceability.LoopbackTypeIpv4 {
 				// Extract IP from IpNet
 				ip := net.IP(iface.IpNet[:4])
-				d.Ip4vLoopbackIP = ip // Used to set router-id
+				d.Ipv4LoopbackIP = ip // Used to set router-id
 				d.Ip4vLoopbackIntfName = iface.Name
 				// TODO: raise an error if the IP is 0.0.0.0 (not set)
 				peer := BgpPeer{
@@ -190,7 +190,12 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 		}
 
 		if d.Vpn4vLoopbackIP == nil {
-			slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "VPNv4 loopback interface found for device")
+			slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "no VPNv4 loopback interface found for device")
+			continue
+		}
+
+		if d.Ipv4LoopbackIP == nil {
+			slog.Error("not adding device to cache", "device pubkey", devicePubKey, "reason", "no IPv4 loopback interface found for device")
 			continue
 		}
 
@@ -383,6 +388,16 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 				return true
 			}
 		}
+		for _, bgpPeer := range c.cache.Vpnv4BgpPeers { // TODO: write a test that proves we don't remove ipv4/vpnv4 BGP peers
+			if bgpPeer.PeerIP.Equal(peer) {
+				return true
+			}
+		}
+		for _, bgpPeer := range c.cache.Ipv4BgpPeers {
+			if bgpPeer.PeerIP.Equal(peer) {
+				return true
+			}
+		}
 		return false
 	}
 
@@ -407,16 +422,28 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 
 	multicastGroupBlock := formatCIDR(&c.cache.Config.MulticastGroupBlock)
 
+	// This check avoids the situation where the template produces the following useless output, which happens in any test case with a single DZD.
+	// ```
+	// no router msdp
+	// router msdp
+	// ```
+	ipv4Peers := c.cache.Ipv4BgpPeers
+	if len(ipv4Peers) == 1 && ipv4Peers[0].PeerIP.Equal(device.Ipv4LoopbackIP) {
+		ipv4Peers = nil
+	}
+
 	data := templateData{
 		MulticastGroupBlock:      multicastGroupBlock,
 		Device:                   device,
 		Vpnv4BgpPeers:            c.cache.Vpnv4BgpPeers,
-		Ipv4BgpPeers:             c.cache.Ipv4BgpPeers,
+		Ipv4BgpPeers:             ipv4Peers,
 		UnknownBgpPeers:          unknownPeers,
 		NoHardware:               c.noHardware,
 		TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
 	}
 
+	// Write a check
+
 	config, err := renderConfig(data)
 	if err != nil {
 		getConfigRenderErrors.WithLabelValues(req.GetPubkey()).Inc()
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index ba52ef255..3f7f2133d 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -356,7 +356,7 @@ func TestGetConfig(t *testing.T) {
 					"abc123": {
 						PublicIP:              net.IP{7, 7, 7, 7},
 						Vpn4vLoopbackIP:       net.IP{14, 14, 14, 14},
-						Ip4vLoopbackIP:        net.IP{13, 13, 13, 13},
+						Ipv4LoopbackIP:        net.IP{13, 13, 13, 13},
 						Vpn4vLoopbackIntfName: "Loopback255",
 						Ip4vLoopbackIntfName:  "Loopback256",
 						Tunnels:               []*Tunnel{},
@@ -539,7 +539,7 @@ func TestStateCache(t *testing.T) {
 						PubKey:          "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
 						PublicIP:        net.IP{2, 2, 2, 2},
 						Vpn4vLoopbackIP: net.IP{14, 14, 14, 14},
-						Ip4vLoopbackIP:  net.IP{12, 12, 12, 12},
+						Ipv4LoopbackIP:  net.IP{12, 12, 12, 12},
 						Tunnels: []*Tunnel{
 							{
 								Id:            500,
@@ -848,6 +848,12 @@ func TestEndToEnd(t *testing.T) {
 							IpNet:         [5]uint8{14, 14, 14, 14, 32},
 							Name:          "Loopback255",
 						},
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeIpv4,
+							IpNet:         [5]uint8{12, 12, 12, 12, 32},
+							Name:          "Loopback256",
+						},
 					},
 					Status: serviceability.DeviceStatusActivated,
 					Code:   "abc01",
@@ -919,6 +925,12 @@ func TestEndToEnd(t *testing.T) {
 							IpNet:         [5]uint8{14, 14, 14, 14, 32},
 							Name:          "Loopback255",
 						},
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeIpv4,
+							IpNet:         [5]uint8{12, 12, 12, 12, 32},
+							Name:          "Loopback256",
+						},
 					},
 					Status: serviceability.DeviceStatusActivated,
 					Code:   "abc01",
@@ -960,6 +972,12 @@ func TestEndToEnd(t *testing.T) {
 							IpNet:         [5]uint8{14, 14, 14, 14, 32},
 							Name:          "Loopback255",
 						},
+						{
+							InterfaceType: serviceability.InterfaceTypeLoopback,
+							LoopbackType:  serviceability.LoopbackTypeIpv4,
+							IpNet:         [5]uint8{12, 12, 12, 12, 32},
+							Name:          "Loopback256",
+						},
 					},
 					Status: serviceability.DeviceStatusActivated,
 					Code:   "abc01",
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index f8e220a6d..0ae79e4dc 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -86,7 +86,7 @@ interface Tunnel{{ .Id }}
 router bgp 65342
    router-id {{ .Device.Vpn4vLoopbackIP }}
    {{- range .Ipv4BgpPeers }}
-   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+   {{- if ne .PeerIP.String $.Device.Ipv4LoopbackIP.String }}
    no neighbor {{ .PeerIP }}
    neighbor {{ .PeerIP }} remote-as 65342
    neighbor {{ .PeerIP }} next-hop-self
@@ -124,7 +124,7 @@ router bgp 65342
    {{- end }}
    {{- end }}
    {{- range .Ipv4BgpPeers }}
-   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+   {{- if ne .PeerIP.String $.Device.Ipv4LoopbackIP.String }}
       neighbor {{ .PeerIP }} activate
    {{- end }}
    {{- end }}
@@ -235,7 +235,7 @@ ip access-list SEC-USER-SUB-MCAST-IN
 no router msdp
 router msdp
    {{- range .Ipv4BgpPeers }}
-   {{- if ne .PeerIP.String $.Device.Ip4vLoopbackIP.String }}
+   {{- if ne .PeerIP.String $.Device.Ipv4LoopbackIP.String }}
    peer {{ .PeerIP }}
       mesh-group DZ-1
       local-interface {{ $.Device.Ip4vLoopbackIntfName }}

From 8679cc5b65c38a8784435f6777b4973279c7e6fc Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 04:59:48 +0000
Subject: [PATCH 13/18] e2e updates

---
 e2e/device_telemetry_test.go                  | 16 +---
 .../doublezero_agent_config_user_added.tmpl   | 79 ++++++++++++++++
 .../doublezero_agent_config_user_removed.tmpl | 79 ++++++++++++++++
 .../doublezero_agent_config_user_added.tmpl   | 79 ++++++++++++++++
 .../doublezero_agent_config_user_removed.tmpl | 79 ++++++++++++++++
 .../doublezero_agent_config_user_added.tmpl   | 90 ++++++++++++++++++-
 .../doublezero_agent_config_user_removed.tmpl | 79 ++++++++++++++++
 .../doublezero_agent_config_user_added.tmpl   | 89 ++++++++++++++++++
 .../doublezero_agent_config_user_removed.tmpl | 79 ++++++++++++++++
 e2e/main_test.go                              |  9 ++
 e2e/multi_client_test.go                      |  3 +
 11 files changed, 668 insertions(+), 13 deletions(-)

diff --git a/e2e/device_telemetry_test.go b/e2e/device_telemetry_test.go
index 717e1b91a..c5d070095 100644
--- a/e2e/device_telemetry_test.go
+++ b/e2e/device_telemetry_test.go
@@ -102,12 +102,6 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceLoopbackInterface(t.Context(), "la2-dz01", "Loopback255", "vpnv4")
-		require.NoError(t, err, "failed to create loopback interface %s of type %s for device %s: %w", "Loopback255", "vpnv4", "la2-dz01", err)
-
-		err = dn.CreateDeviceLoopbackInterface(t.Context(), "la2-dz01", "Loopback256", "ipv4")
-		require.NoError(t, err, "failed to create loopback interface %s of type %s for device %s: %w", "Loopback256", "ipv4", "la2-dz01", err)
-
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
 	}()
@@ -145,12 +139,6 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		err = dn.CreateDeviceLoopbackInterface(t.Context(), "ny5-dz01", "Loopback255", "vpnv4")
-		require.NoError(t, err, "error", err)
-
-		err = dn.CreateDeviceLoopbackInterface(t.Context(), "ny5-dz01", "Loopback256", "ipv4")
-		require.NoError(t, err, "error", err)
-
 		// Wait for the telemetry publisher account to be funded.
 		requireEventuallyFunded(t, log, dn.Ledger.GetRPCClient(), telemetryKeypairPK, minBalanceSOL, "telemetry publisher")
 	}()
@@ -177,6 +165,8 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 			doublezero device interface create pit-dzd01 "Switch1/1/1" physical
 			doublezero device interface create ams-dz001 "Switch1/1/1" physical
 
+			doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
+			doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create sg1-dz01 "Loopback255" loopback --loopback-type vpnv4
@@ -184,6 +174,8 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 			doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 			doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
 
+			doublezero device interface create la2-dz01 "Loopback256" loopback --loopback-type ipv4
+			doublezero device interface create ny5-dz01 "Loopback256" loopback --loopback-type ipv4
 			doublezero device interface create ld4-dz01 "Loopback256" loopback --loopback-type ipv4
 			doublezero device interface create frk-dz01 "Loopback256" loopback --loopback-type ipv4
 			doublezero device interface create sg1-dz01 "Loopback256" loopback --loopback-type ipv4
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
index 88f4e5598..f65a74213 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
@@ -186,6 +186,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -229,6 +271,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -735,3 +784,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
index 6feec1a20..bff708de1 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
@@ -175,6 +175,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -218,6 +260,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -709,3 +758,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
index fdfb63299..4c52a5052 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
@@ -186,6 +186,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -229,6 +271,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -735,3 +784,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
index 6feec1a20..bff708de1 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
@@ -175,6 +175,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -218,6 +260,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -709,3 +758,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
index 73d31491d..9180eedf9 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
@@ -189,6 +189,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -231,7 +273,23 @@ router bgp 65342
    neighbor 172.16.0.7 update-source Loopback255
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
+   no neighbor 169.254.0.1
+   neighbor 169.254.0.1 remote-as 65000
+   neighbor 169.254.0.1 passive
+   neighbor 169.254.0.1 description USER-500
+   neighbor 169.254.0.1 route-map RM-USER-500-IN in
+   neighbor 169.254.0.1 route-map RM-USER-500-OUT out
+   neighbor 169.254.0.1 maximum-routes 1
+   neighbor 169.254.0.1 maximum-accepted-routes 1
    address-family ipv4
+      neighbor 169.254.0.1 activate
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -248,7 +306,7 @@ router bgp 65342
       neighbor 172.16.0.8 activate
       neighbor 172.16.0.4 activate
       neighbor 172.16.0.7 activate
-    !
+   !
    vrf vrf1
       rd 65342:1
       route-target import vpn-ipv4 65342:1
@@ -735,3 +793,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
index 6feec1a20..bff708de1 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
@@ -175,6 +175,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -218,6 +260,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -709,3 +758,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
index 87180fc27..8023a9dcd 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
@@ -186,7 +186,50 @@ default interface Tunnel562
 !
 default interface Tunnel563
 !
+router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -229,7 +272,23 @@ default interface Tunnel563
    neighbor 172.16.0.7 update-source Loopback255
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
+   no neighbor 169.254.0.1
+   neighbor 169.254.0.1 remote-as 65000
+   neighbor 169.254.0.1 passive
+   neighbor 169.254.0.1 description USER-500
+   neighbor 169.254.0.1 route-map RM-USER-500-IN in
+   neighbor 169.254.0.1 route-map RM-USER-500-OUT out
+   neighbor 169.254.0.1 maximum-routes 1
+   neighbor 169.254.0.1 maximum-accepted-routes 1
    address-family ipv4
+      neighbor 169.254.0.1 activate
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -733,3 +792,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
index 6feec1a20..bff708de1 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
@@ -175,6 +175,48 @@ default interface Tunnel563
 !
 router bgp 65342
    router-id 172.16.0.1
+   no neighbor 172.16.0.14
+   neighbor 172.16.0.14 remote-as 65342
+   neighbor 172.16.0.14 next-hop-self
+   neighbor 172.16.0.14 update-source Loopback256
+   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 send-community
+   no neighbor 172.16.0.11
+   neighbor 172.16.0.11 remote-as 65342
+   neighbor 172.16.0.11 next-hop-self
+   neighbor 172.16.0.11 update-source Loopback256
+   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 send-community
+   no neighbor 172.16.0.10
+   neighbor 172.16.0.10 remote-as 65342
+   neighbor 172.16.0.10 next-hop-self
+   neighbor 172.16.0.10 update-source Loopback256
+   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 send-community
+   no neighbor 172.16.0.13
+   neighbor 172.16.0.13 remote-as 65342
+   neighbor 172.16.0.13 next-hop-self
+   neighbor 172.16.0.13 update-source Loopback256
+   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 send-community
+   no neighbor 172.16.0.16
+   neighbor 172.16.0.16 remote-as 65342
+   neighbor 172.16.0.16 next-hop-self
+   neighbor 172.16.0.16 update-source Loopback256
+   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 send-community
+   no neighbor 172.16.0.12
+   neighbor 172.16.0.12 remote-as 65342
+   neighbor 172.16.0.12 next-hop-self
+   neighbor 172.16.0.12 update-source Loopback256
+   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 send-community
+   no neighbor 172.16.0.15
+   neighbor 172.16.0.15 remote-as 65342
+   neighbor 172.16.0.15 next-hop-self
+   neighbor 172.16.0.15 update-source Loopback256
+   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
@@ -218,6 +260,13 @@ router bgp 65342
    neighbor 172.16.0.7 description pit-dzd01
    neighbor 172.16.0.7 send-community
    address-family ipv4
+      neighbor 172.16.0.14 activate
+      neighbor 172.16.0.11 activate
+      neighbor 172.16.0.10 activate
+      neighbor 172.16.0.13 activate
+      neighbor 172.16.0.16 activate
+      neighbor 172.16.0.12 activate
+      neighbor 172.16.0.15 activate
       no neighbor 172.16.0.6 activate
       no neighbor 172.16.0.3 activate
       no neighbor 172.16.0.2 activate
@@ -709,3 +758,33 @@ ip access-list SEC-USER-SUB-MCAST-IN
    permit ip any 224.0.0.13/32
    deny ip any any
 !
+no router msdp
+router msdp
+   peer 172.16.0.14
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ty2-dz01
+   peer 172.16.0.11
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ld4-dz01
+   peer 172.16.0.10
+      mesh-group DZ-1
+      local-interface Loopback256
+      description la2-dz01
+   peer 172.16.0.13
+      mesh-group DZ-1
+      local-interface Loopback256
+      description sg1-dz01
+   peer 172.16.0.16
+      mesh-group DZ-1
+      local-interface Loopback256
+      description ams-dz001
+   peer 172.16.0.12
+      mesh-group DZ-1
+      local-interface Loopback256
+      description frk-dz01
+   peer 172.16.0.15
+      mesh-group DZ-1
+      local-interface Loopback256
+      description pit-dzd01
diff --git a/e2e/main_test.go b/e2e/main_test.go
index 2f899a3a3..d5e543bdf 100644
--- a/e2e/main_test.go
+++ b/e2e/main_test.go
@@ -192,6 +192,15 @@ func (dn *TestDevnet) Start(t *testing.T) (*devnet.Device, *devnet.Client) {
 		doublezero device interface create pit-dzd01 "Loopback255" loopback --loopback-type vpnv4
 		doublezero device interface create ams-dz001 "Loopback255" loopback --loopback-type vpnv4
 
+		doublezero device interface create ny5-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create la2-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create ld4-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create frk-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create sg1-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create ty2-dz01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create pit-dzd01 "Loopback256" loopback --loopback-type ipv4
+		doublezero device interface create ams-dz001 "Loopback256" loopback --loopback-type ipv4
+
 		echo "==> Populate link information onchain"
 		doublezero link create wan --code "la2-dz01:ny5-dz01" --contributor co01 --side-a la2-dz01 --side-a-interface Switch1/1/1 --side-z ny5-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 40 --jitter-ms 3
 		doublezero link create wan --code "ny5-dz01:ld4-dz01" --contributor co01 --side-a ny5-dz01 --side-a-interface Switch1/1/1 --side-z ld4-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 30 --jitter-ms 3
diff --git a/e2e/multi_client_test.go b/e2e/multi_client_test.go
index 35fd234a6..7331682e8 100644
--- a/e2e/multi_client_test.go
+++ b/e2e/multi_client_test.go
@@ -59,6 +59,9 @@ func TestE2E_MultiClient(t *testing.T) {
 	err = dn.CreateDeviceLoopbackInterface(t.Context(), deviceCode, "Loopback255", "vpnv4")
 	require.NoError(t, err, "failed to create VPNv4 loopback interface for device %s: %w", deviceCode, err)
 
+	err = dn.CreateDeviceLoopbackInterface(t.Context(), deviceCode, "Loopback256", "ipv4")
+	require.NoError(t, err, "failed to create IPv4 loopback interface for device %s: %w", deviceCode, err)
+
 	// Wait for device to exist onchain.
 	log.Info("==> Waiting for device to exist onchain")
 	serviceabilityClient, err := dn.Ledger.GetServiceabilityClient()

From 2109e4da761d9f5e99751e9fb30b62e2b3229327 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 14:16:06 +0000
Subject: [PATCH 14/18] Fix e2e telemetry test

---
 e2e/device_telemetry_test.go                   | 6 +++---
 e2e/internal/devnet/device/startup-config.tmpl | 8 +++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/e2e/device_telemetry_test.go b/e2e/device_telemetry_test.go
index c5d070095..879a1ca0e 100644
--- a/e2e/device_telemetry_test.go
+++ b/e2e/device_telemetry_test.go
@@ -200,9 +200,9 @@ func TestE2E_DeviceTelemetry(t *testing.T) {
 	// Manually create tunnel interfaces on the devices.
 	// NOTE: This is a workaround until tunnels on devices are configured automatically when links
 	// are created.
-	la2ToNY5LinkTunnelLA2IP := "172.16.0.0" // 172.16.0.0/31 expected to be allocated to this link by the activator
-	la2ToNY5LinkTunnelNY5IP := "172.16.0.1" // 172.16.0.0/31 expected to be allocated to this link by the activator
-	ny5ToLD4LinkTunnelNY5IP := "172.16.0.2" // 172.16.0.2/31 expected to be allocated to this link by the activator
+	la2ToNY5LinkTunnelLA2IP := "172.16.0.18" // 172.16.0.0/31 expected to be allocated to this link by the activator
+	la2ToNY5LinkTunnelNY5IP := "172.16.0.19" // 172.16.0.0/31 expected to be allocated to this link by the activator
+	ny5ToLD4LinkTunnelNY5IP := "172.16.0.20" // 172.16.0.2/31 expected to be allocated to this link by the activator
 	func() {
 		la2Device := dn.Devices["la2-dz01"]
 		ny5Device := dn.Devices["ny5-dz01"]
diff --git a/e2e/internal/devnet/device/startup-config.tmpl b/e2e/internal/devnet/device/startup-config.tmpl
index 5bfab9a10..bff6749fe 100644
--- a/e2e/internal/devnet/device/startup-config.tmpl
+++ b/e2e/internal/devnet/device/startup-config.tmpl
@@ -54,7 +54,7 @@ management api gnmi
    vrf management
 {{- end }}
 !
-ip access-list MAIN-CONTROL-PLANE-ACL-MGMT
+ip access-list MAIN-CONTROL-PLANE-ACL
    counters per-entry
    10 permit icmp any any
    20 permit ip any any tracked
@@ -83,14 +83,16 @@ ip access-list MAIN-CONTROL-PLANE-ACL-MGMT
    250 permit udp any any eq 8503
    260 permit udp any any eq lsp-ping
    270 permit udp any eq lsp-ping any
-
+   280 remark Permit TWAMP (UDP 862)
+   290 permit udp any any eq 862
    {{- if .TelemetryMetricsEnable }}
    990 remark Permit doublezero-telemetry prometheus metrics (TCP {{ .TelemetryMetricsPort }})
    999 permit tcp any any eq {{ .TelemetryMetricsPort }}
    {{- end }}
 !
 system control-plane
-   ip access-group MAIN-CONTROL-PLANE-ACL-MGMT vrf management in
+   ip access-group MAIN-CONTROL-PLANE-ACL vrf management in
+   ip access-group MAIN-CONTROL-PLANE-ACL in
 !
 no service interface inactive port-id allocation disabled
 !

From 64ecee2859b1829d0186e9ea4ea07fc0532cf40f Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 16:24:31 +0000
Subject: [PATCH 15/18] Make TunnelTunnelBlock match testnet

---
 .../internal/controller/fixtures/e2e.last.user.txt        | 3 +++
 .../internal/controller/fixtures/e2e.peer.removal.txt     | 6 +++---
 .../controller/internal/controller/server_test.go         | 8 ++++----
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
index 295bec73a..74d49bddc 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.last.user.txt
@@ -178,9 +178,11 @@ default interface Tunnel563
 router bgp 65342
    router-id 14.14.14.14
    address-family ipv4
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.13
    !
    address-family vpn-ipv4
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.13
    !
    vrf vrf1
@@ -188,6 +190,7 @@ router bgp 65342
       route-target import vpn-ipv4 65342:1
       route-target export vpn-ipv4 65342:1
       router-id 2.2.2.2
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.13
 !
 ip community-list COMM-ALL_USERS permit 21682:1200
diff --git a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
index 77790ed7d..651fd6de7 100644
--- a/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
+++ b/controlplane/controller/internal/controller/fixtures/e2e.peer.removal.txt
@@ -212,11 +212,11 @@ router bgp 65342
    neighbor 169.254.0.3 maximum-accepted-routes 1
    address-family ipv4
       neighbor 169.254.0.3 activate
-      no neighbor 172.17.0.1
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.7
    !
    address-family vpn-ipv4
-      no neighbor 172.17.0.1
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.7
    !
    vrf vrf1
@@ -232,7 +232,7 @@ router bgp 65342
       neighbor 169.254.0.1 route-map RM-USER-500-OUT out
       neighbor 169.254.0.1 maximum-routes 1
       neighbor 169.254.0.1 maximum-accepted-routes 1
-      no neighbor 172.17.0.1
+      no neighbor 172.16.0.1
       no neighbor 169.254.0.7
 !
 ip community-list COMM-ALL_USERS permit 21682:1200
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 3f7f2133d..605c7b11d 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -870,7 +870,7 @@ func TestEndToEnd(t *testing.T) {
 			Name: "remove_unknown_peers_successfully",
 			Config: serviceability.Config{
 				MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
-				TunnelTunnelBlock:   [5]uint8{172, 17, 0, 0, 16},
+				TunnelTunnelBlock:   [5]uint8{172, 16, 0, 0, 16},
 				UserTunnelBlock:     [5]uint8{169, 254, 0, 0, 16},
 			},
 			MulticastGroups: []serviceability.MulticastGroup{
@@ -941,8 +941,8 @@ func TestEndToEnd(t *testing.T) {
 				Pubkey: "4uQeVj5tqViQh7yWWGStvkEG1Zmhx6uasJtWCJziofM",
 				BgpPeers: []string{
 					"10.0.0.1",    // Not in any DZ block - should not be flagged for removal
-					"172.16.0.1",  // Not in any DZ block - should not be flagged for removal
-					"172.17.0.1",  // In TunnelTunnelBlock - should be flagged for removal
+					"172.17.0.1",  // Not in any DZ block - should not be flagged for removal
+					"172.16.0.1",  // In TunnelTunnelBlock - should be flagged for removal
 					"169.254.0.7", // In UserTunnelBlock - should be flagged for removal
 					"169.254.0.3", // In UserTunnelBlock, but associated with a user - should not be flagged for removal
 				},
@@ -953,7 +953,7 @@ func TestEndToEnd(t *testing.T) {
 			Name: "remove_last_user_from_device",
 			Config: serviceability.Config{
 				MulticastGroupBlock: [5]uint8{239, 0, 0, 0, 24},
-				TunnelTunnelBlock:   [5]uint8{172, 17, 0, 0, 16},
+				TunnelTunnelBlock:   [5]uint8{172, 16, 0, 0, 16},
 				UserTunnelBlock:     [5]uint8{169, 254, 0, 0, 16},
 			},
 			Users: []serviceability.User{},

From b06bd1c7df617281300459bba58e0135530b9589 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 19:50:42 +0000
Subject: [PATCH 16/18] Add vpnv4/ipv4 tag to bgp neighbor descriptions

---
 .../controller/fixtures/base.config.txt       |  2 +-
 .../internal/controller/render_test.go        |  4 +--
 .../internal/controller/server_test.go        |  4 +--
 .../internal/controller/templates/tunnel.tmpl |  4 +--
 .../doublezero_agent_config_user_added.tmpl   | 28 +++++++++----------
 .../doublezero_agent_config_user_removed.tmpl | 28 +++++++++----------
 .../doublezero_agent_config_user_added.tmpl   | 28 +++++++++----------
 .../doublezero_agent_config_user_removed.tmpl | 28 +++++++++----------
 .../doublezero_agent_config_user_added.tmpl   | 28 +++++++++----------
 .../doublezero_agent_config_user_removed.tmpl | 28 +++++++++----------
 .../doublezero_agent_config_user_added.tmpl   | 28 +++++++++----------
 .../doublezero_agent_config_user_removed.tmpl | 28 +++++++++----------
 12 files changed, 119 insertions(+), 119 deletions(-)

diff --git a/controlplane/controller/internal/controller/fixtures/base.config.txt b/controlplane/controller/internal/controller/fixtures/base.config.txt
index 7b11d8630..2e1d7e2ef 100644
--- a/controlplane/controller/internal/controller/fixtures/base.config.txt
+++ b/controlplane/controller/internal/controller/fixtures/base.config.txt
@@ -99,4 +99,4 @@ router msdp
    peer 12.12.12.12
       mesh-group DZ-1
       local-interface Loopback256
-      description remote-dzd-ipv4
+      description remote-dzd
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index 49ceaf85a..574f81a16 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -382,13 +382,13 @@ func TestRenderConfig(t *testing.T) {
 				Vpnv4BgpPeers: []BgpPeer{
 					{
 						PeerIP:   net.IP{15, 15, 15, 15},
-						PeerName: "remote-dzd-vpnv4",
+						PeerName: "remote-dzd",
 					},
 				},
 				Ipv4BgpPeers: []BgpPeer{
 					{
 						PeerIP:   net.IP{12, 12, 12, 12},
-						PeerName: "remote-dzd-ipv4",
+						PeerName: "remote-dzd",
 					},
 				},
 			},
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 605c7b11d..876dea26f 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -343,13 +343,13 @@ func TestGetConfig(t *testing.T) {
 				Vpnv4BgpPeers: []BgpPeer{
 					{
 						PeerIP:   net.IP{15, 15, 15, 15},
-						PeerName: "remote-dzd-vpnv4",
+						PeerName: "remote-dzd",
 					},
 				},
 				Ipv4BgpPeers: []BgpPeer{
 					{
 						PeerIP:   net.IP{12, 12, 12, 12},
-						PeerName: "remote-dzd-ipv4",
+						PeerName: "remote-dzd",
 					},
 				},
 				Devices: map[string]*Device{
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index 0ae79e4dc..81dde3786 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -91,7 +91,7 @@ router bgp 65342
    neighbor {{ .PeerIP }} remote-as 65342
    neighbor {{ .PeerIP }} next-hop-self
    neighbor {{ .PeerIP }} update-source {{ $.Device.Ip4vLoopbackIntfName }}
-   neighbor {{ .PeerIP }} description {{ .PeerName }}
+   neighbor {{ .PeerIP }} description {{ .PeerName }}-ipv4
    neighbor {{ .PeerIP }} send-community
    {{- end }}
    {{- end }}
@@ -101,7 +101,7 @@ router bgp 65342
    neighbor {{ .PeerIP }} remote-as 65342
    neighbor {{ .PeerIP }} next-hop-self
    neighbor {{ .PeerIP }} update-source {{ $.Device.Vpn4vLoopbackIntfName }}
-   neighbor {{ .PeerIP }} description {{ .PeerName }}
+   neighbor {{ .PeerIP }} description {{ .PeerName }}-vpnv4
    neighbor {{ .PeerIP }} send-community
    {{- end }}
    {{- end }}
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
index f65a74213..7b620c847 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_added.tmpl
@@ -190,85 +190,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate
diff --git a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
index bff708de1..ae7598fca 100644
--- a/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl/doublezero_agent_config_user_removed.tmpl
@@ -179,85 +179,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
index 4c52a5052..9f20fb054 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_added.tmpl
@@ -190,85 +190,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate
diff --git a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
index bff708de1..ae7598fca 100644
--- a/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/ibrl_with_allocated_addr/doublezero_agent_config_user_removed.tmpl
@@ -179,85 +179,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
index 9180eedf9..c19fe9825 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_added.tmpl
@@ -193,85 +193,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
diff --git a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
index bff708de1..ae7598fca 100644
--- a/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_publisher/doublezero_agent_config_user_removed.tmpl
@@ -179,85 +179,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
index 8023a9dcd..fb811aa1c 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_added.tmpl
@@ -192,85 +192,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    no neighbor 169.254.0.1
    neighbor 169.254.0.1 remote-as 65000
diff --git a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
index bff708de1..ae7598fca 100644
--- a/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
+++ b/e2e/fixtures/multicast_subscriber/doublezero_agent_config_user_removed.tmpl
@@ -179,85 +179,85 @@ router bgp 65342
    neighbor 172.16.0.14 remote-as 65342
    neighbor 172.16.0.14 next-hop-self
    neighbor 172.16.0.14 update-source Loopback256
-   neighbor 172.16.0.14 description ty2-dz01
+   neighbor 172.16.0.14 description ty2-dz01-ipv4
    neighbor 172.16.0.14 send-community
    no neighbor 172.16.0.11
    neighbor 172.16.0.11 remote-as 65342
    neighbor 172.16.0.11 next-hop-self
    neighbor 172.16.0.11 update-source Loopback256
-   neighbor 172.16.0.11 description ld4-dz01
+   neighbor 172.16.0.11 description ld4-dz01-ipv4
    neighbor 172.16.0.11 send-community
    no neighbor 172.16.0.10
    neighbor 172.16.0.10 remote-as 65342
    neighbor 172.16.0.10 next-hop-self
    neighbor 172.16.0.10 update-source Loopback256
-   neighbor 172.16.0.10 description la2-dz01
+   neighbor 172.16.0.10 description la2-dz01-ipv4
    neighbor 172.16.0.10 send-community
    no neighbor 172.16.0.13
    neighbor 172.16.0.13 remote-as 65342
    neighbor 172.16.0.13 next-hop-self
    neighbor 172.16.0.13 update-source Loopback256
-   neighbor 172.16.0.13 description sg1-dz01
+   neighbor 172.16.0.13 description sg1-dz01-ipv4
    neighbor 172.16.0.13 send-community
    no neighbor 172.16.0.16
    neighbor 172.16.0.16 remote-as 65342
    neighbor 172.16.0.16 next-hop-self
    neighbor 172.16.0.16 update-source Loopback256
-   neighbor 172.16.0.16 description ams-dz001
+   neighbor 172.16.0.16 description ams-dz001-ipv4
    neighbor 172.16.0.16 send-community
    no neighbor 172.16.0.12
    neighbor 172.16.0.12 remote-as 65342
    neighbor 172.16.0.12 next-hop-self
    neighbor 172.16.0.12 update-source Loopback256
-   neighbor 172.16.0.12 description frk-dz01
+   neighbor 172.16.0.12 description frk-dz01-ipv4
    neighbor 172.16.0.12 send-community
    no neighbor 172.16.0.15
    neighbor 172.16.0.15 remote-as 65342
    neighbor 172.16.0.15 next-hop-self
    neighbor 172.16.0.15 update-source Loopback256
-   neighbor 172.16.0.15 description pit-dzd01
+   neighbor 172.16.0.15 description pit-dzd01-ipv4
    neighbor 172.16.0.15 send-community
    no neighbor 172.16.0.6
    neighbor 172.16.0.6 remote-as 65342
    neighbor 172.16.0.6 next-hop-self
    neighbor 172.16.0.6 update-source Loopback255
-   neighbor 172.16.0.6 description ty2-dz01
+   neighbor 172.16.0.6 description ty2-dz01-vpnv4
    neighbor 172.16.0.6 send-community
    no neighbor 172.16.0.3
    neighbor 172.16.0.3 remote-as 65342
    neighbor 172.16.0.3 next-hop-self
    neighbor 172.16.0.3 update-source Loopback255
-   neighbor 172.16.0.3 description ld4-dz01
+   neighbor 172.16.0.3 description ld4-dz01-vpnv4
    neighbor 172.16.0.3 send-community
    no neighbor 172.16.0.2
    neighbor 172.16.0.2 remote-as 65342
    neighbor 172.16.0.2 next-hop-self
    neighbor 172.16.0.2 update-source Loopback255
-   neighbor 172.16.0.2 description la2-dz01
+   neighbor 172.16.0.2 description la2-dz01-vpnv4
    neighbor 172.16.0.2 send-community
    no neighbor 172.16.0.5
    neighbor 172.16.0.5 remote-as 65342
    neighbor 172.16.0.5 next-hop-self
    neighbor 172.16.0.5 update-source Loopback255
-   neighbor 172.16.0.5 description sg1-dz01
+   neighbor 172.16.0.5 description sg1-dz01-vpnv4
    neighbor 172.16.0.5 send-community
    no neighbor 172.16.0.8
    neighbor 172.16.0.8 remote-as 65342
    neighbor 172.16.0.8 next-hop-self
    neighbor 172.16.0.8 update-source Loopback255
-   neighbor 172.16.0.8 description ams-dz001
+   neighbor 172.16.0.8 description ams-dz001-vpnv4
    neighbor 172.16.0.8 send-community
    no neighbor 172.16.0.4
    neighbor 172.16.0.4 remote-as 65342
    neighbor 172.16.0.4 next-hop-self
    neighbor 172.16.0.4 update-source Loopback255
-   neighbor 172.16.0.4 description frk-dz01
+   neighbor 172.16.0.4 description frk-dz01-vpnv4
    neighbor 172.16.0.4 send-community
    no neighbor 172.16.0.7
    neighbor 172.16.0.7 remote-as 65342
    neighbor 172.16.0.7 next-hop-self
    neighbor 172.16.0.7 update-source Loopback255
-   neighbor 172.16.0.7 description pit-dzd01
+   neighbor 172.16.0.7 description pit-dzd01-vpnv4
    neighbor 172.16.0.7 send-community
    address-family ipv4
       neighbor 172.16.0.14 activate

From c4d0d88d3896637f75a09a15e6f65d8146fa5803 Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Wed, 6 Aug 2025 21:11:08 +0000
Subject: [PATCH 17/18] Remove extra lines from merge

---
 e2e/sdk_device_telemetry_test.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/e2e/sdk_device_telemetry_test.go b/e2e/sdk_device_telemetry_test.go
index 4de5db0b9..fbcc9d5db 100644
--- a/e2e/sdk_device_telemetry_test.go
+++ b/e2e/sdk_device_telemetry_test.go
@@ -78,11 +78,6 @@ func TestE2E_SDK_Telemetry_DeviceLatencySamples(t *testing.T) {
 		doublezero device interface create ld4-dz01 "Loopback256" loopback --loopback-type ipv4
 		doublezero device interface create frk-dz01 "Loopback256" loopback --loopback-type ipv4
 
-		doublezero device interface create la2-dz01 "Loopback255" loopback --loopback-type vpnv4
-		doublezero device interface create ny5-dz01 "Loopback255" loopback --loopback-type vpnv4
-		doublezero device interface create ld4-dz01 "Loopback255" loopback --loopback-type vpnv4
-		doublezero device interface create frk-dz01 "Loopback255" loopback --loopback-type vpnv4
-
 		doublezero link create wan --code "la2-dz01:ny5-dz01" --contributor co01 --side-a la2-dz01 --side-a-interface Switch1/1/1 --side-z ny5-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 40 --jitter-ms 3
 		doublezero link create wan --code "ny5-dz01:ld4-dz01" --contributor co01 --side-a ny5-dz01 --side-a-interface Switch1/1/1 --side-z ld4-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 30 --jitter-ms 3
 		doublezero link create wan --code "ld4-dz01:frk-dz01" --contributor co01 --side-a ld4-dz01 --side-a-interface Switch1/1/1 --side-z frk-dz01 --side-z-interface Switch1/1/1 --bandwidth "10 Gbps" --mtu 9000 --delay-ms 25 --jitter-ms 10

From ccd5e7fe7641deda9ac01cbfd29b3e6c96312ddb Mon Sep 17 00:00:00 2001
From: Nik Weidenbacher <nik@malbeclabs.com>
Date: Thu, 7 Aug 2025 13:33:01 +0000
Subject: [PATCH 18/18] Fix typos

---
 controlplane/controller/internal/controller/models.go         | 2 +-
 controlplane/controller/internal/controller/render_test.go    | 2 +-
 controlplane/controller/internal/controller/server.go         | 4 +---
 controlplane/controller/internal/controller/server_test.go    | 4 ++--
 .../controller/internal/controller/templates/tunnel.tmpl      | 4 ++--
 e2e/internal/devnet/devnet.go                                 | 2 +-
 e2e/main_test.go                                              | 1 -
 e2e/sdk_device_telemetry_test.go                              | 1 -
 8 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/controlplane/controller/internal/controller/models.go b/controlplane/controller/internal/controller/models.go
index 810b98dd5..b561b49a8 100644
--- a/controlplane/controller/internal/controller/models.go
+++ b/controlplane/controller/internal/controller/models.go
@@ -21,7 +21,7 @@ type Device struct {
 	TunnelSlots           int
 	Interfaces            []serviceability.Interface
 	Vpn4vLoopbackIntfName string
-	Ip4vLoopbackIntfName  string
+	Ipv4LoopbackIntfName  string
 }
 
 func NewDevice(ip net.IP, publicKey string) *Device {
diff --git a/controlplane/controller/internal/controller/render_test.go b/controlplane/controller/internal/controller/render_test.go
index 574f81a16..2e3ad2288 100644
--- a/controlplane/controller/internal/controller/render_test.go
+++ b/controlplane/controller/internal/controller/render_test.go
@@ -377,7 +377,7 @@ func TestRenderConfig(t *testing.T) {
 						},
 					},
 					Vpn4vLoopbackIntfName: "Loopback255",
-					Ip4vLoopbackIntfName:  "Loopback256",
+					Ipv4LoopbackIntfName:  "Loopback256",
 				},
 				Vpnv4BgpPeers: []BgpPeer{
 					{
diff --git a/controlplane/controller/internal/controller/server.go b/controlplane/controller/internal/controller/server.go
index 078c96770..9a0a8d1be 100644
--- a/controlplane/controller/internal/controller/server.go
+++ b/controlplane/controller/internal/controller/server.go
@@ -179,7 +179,7 @@ func (c *Controller) updateStateCache(ctx context.Context) error {
 				// Extract IP from IpNet
 				ip := net.IP(iface.IpNet[:4])
 				d.Ipv4LoopbackIP = ip // Used to set router-id
-				d.Ip4vLoopbackIntfName = iface.Name
+				d.Ipv4LoopbackIntfName = iface.Name
 				// TODO: raise an error if the IP is 0.0.0.0 (not set)
 				peer := BgpPeer{
 					PeerIP:   ip,
@@ -442,8 +442,6 @@ func (c *Controller) GetConfig(ctx context.Context, req *pb.ConfigRequest) (*pb.
 		TelemetryTWAMPListenPort: telemetryconfig.TWAMPListenPort,
 	}
 
-	// Write a check
-
 	config, err := renderConfig(data)
 	if err != nil {
 		getConfigRenderErrors.WithLabelValues(req.GetPubkey()).Inc()
diff --git a/controlplane/controller/internal/controller/server_test.go b/controlplane/controller/internal/controller/server_test.go
index 876dea26f..019c82372 100644
--- a/controlplane/controller/internal/controller/server_test.go
+++ b/controlplane/controller/internal/controller/server_test.go
@@ -358,7 +358,7 @@ func TestGetConfig(t *testing.T) {
 						Vpn4vLoopbackIP:       net.IP{14, 14, 14, 14},
 						Ipv4LoopbackIP:        net.IP{13, 13, 13, 13},
 						Vpn4vLoopbackIntfName: "Loopback255",
-						Ip4vLoopbackIntfName:  "Loopback256",
+						Ipv4LoopbackIntfName:  "Loopback256",
 						Tunnels:               []*Tunnel{},
 						TunnelSlots:           0,
 					},
@@ -647,7 +647,7 @@ func TestStateCache(t *testing.T) {
 							},
 						},
 						Vpn4vLoopbackIntfName: "Loopback255",
-						Ip4vLoopbackIntfName:  "Loopback256",
+						Ipv4LoopbackIntfName:  "Loopback256",
 					},
 				},
 			},
diff --git a/controlplane/controller/internal/controller/templates/tunnel.tmpl b/controlplane/controller/internal/controller/templates/tunnel.tmpl
index 81dde3786..1d737acf2 100644
--- a/controlplane/controller/internal/controller/templates/tunnel.tmpl
+++ b/controlplane/controller/internal/controller/templates/tunnel.tmpl
@@ -90,7 +90,7 @@ router bgp 65342
    no neighbor {{ .PeerIP }}
    neighbor {{ .PeerIP }} remote-as 65342
    neighbor {{ .PeerIP }} next-hop-self
-   neighbor {{ .PeerIP }} update-source {{ $.Device.Ip4vLoopbackIntfName }}
+   neighbor {{ .PeerIP }} update-source {{ $.Device.Ipv4LoopbackIntfName }}
    neighbor {{ .PeerIP }} description {{ .PeerName }}-ipv4
    neighbor {{ .PeerIP }} send-community
    {{- end }}
@@ -238,7 +238,7 @@ router msdp
    {{- if ne .PeerIP.String $.Device.Ipv4LoopbackIP.String }}
    peer {{ .PeerIP }}
       mesh-group DZ-1
-      local-interface {{ $.Device.Ip4vLoopbackIntfName }}
+      local-interface {{ $.Device.Ipv4LoopbackIntfName }}
       description {{ .PeerName }}
    {{- end }}
    {{- end }}
diff --git a/e2e/internal/devnet/devnet.go b/e2e/internal/devnet/devnet.go
index 6906c0e23..38d71e83c 100644
--- a/e2e/internal/devnet/devnet.go
+++ b/e2e/internal/devnet/devnet.go
@@ -802,7 +802,7 @@ func generateKeypairIfNotExists(keypairPath string) (bool, error) {
 }
 
 func (d *Devnet) CreateDeviceLoopbackInterface(ctx context.Context, deviceCode string, interfaceName string, loopbackType string) error {
-	d.log.Info("==> Creating VPNv4 loopback interface for device", "code", deviceCode)
+	d.log.Info("==> Creating loopback interface for device", "code", deviceCode)
 	d.onchainWriteMutex.Lock()
 	defer d.onchainWriteMutex.Unlock()
 
diff --git a/e2e/main_test.go b/e2e/main_test.go
index d5e543bdf..39d1805b6 100644
--- a/e2e/main_test.go
+++ b/e2e/main_test.go
@@ -173,7 +173,6 @@ func (dn *TestDevnet) Start(t *testing.T) (*devnet.Device, *devnet.Client) {
 		doublezero device list
 
 		echo "==> Populate device interface information onchain"
-		# TODO: When the controller supports dzd metadata, this will have to be updated to reflect actual interfaces
 		doublezero device interface create ny5-dz01 "Switch1/1/1" physical
 		doublezero device interface create la2-dz01 "Switch1/1/1" physical
 		doublezero device interface create ld4-dz01 "Switch1/1/1" physical
diff --git a/e2e/sdk_device_telemetry_test.go b/e2e/sdk_device_telemetry_test.go
index fbcc9d5db..0a89c1335 100644
--- a/e2e/sdk_device_telemetry_test.go
+++ b/e2e/sdk_device_telemetry_test.go
@@ -62,7 +62,6 @@ func TestE2E_SDK_Telemetry_DeviceLatencySamples(t *testing.T) {
 		doublezero device create --code ld4-dz01 --contributor co01 --location lhr --exchange xlhr --public-ip "195.219.120.72" --dz-prefixes "195.219.120.72/29" --mgmt-vrf mgmt
 		doublezero device create --code frk-dz01 --contributor co01 --location fra --exchange xfra --public-ip "195.219.220.88" --dz-prefixes "195.219.220.88/29" --mgmt-vrf mgmt
 
-		# TODO: When the controller supports dzd metadata, this will have to be updated to reflect actual interfaces
 		doublezero device interface create la2-dz01 "Switch1/1/1" physical
 		doublezero device interface create ny5-dz01 "Switch1/1/1" physical
 		doublezero device interface create ld4-dz01 "Switch1/1/1" physical