diff --git a/roles/firewall/files/shorewall/macro.BGP b/roles/firewall/files/shorewall/macro.BGP
new file mode 100644
index 0000000000000000000000000000000000000000..787a625f6a1017f2a2709f202825b4d50d586216
--- /dev/null
+++ b/roles/firewall/files/shorewall/macro.BGP
@@ -0,0 +1 @@
+PARAM	-	-	tcp	179
diff --git a/roles/firewall/files/shorewall/rules b/roles/firewall/files/shorewall/rules
index 05227daced1050ffe80b8593d9c014b36c9c3de0..70a1d02b3b842f0b936b82cd3736b619fcd274ff 100644
--- a/roles/firewall/files/shorewall/rules
+++ b/roles/firewall/files/shorewall/rules
@@ -47,6 +47,8 @@ SNMP/ACCEPT		intern:$MONITORING	all!wan
 ACCEPT			intern:$MONITORING	all!wan
 Icinga/ACCEPT		all!wan				intern:$MONITORING
 Icinga/ACCEPT		intern:$MONITORING	all!wan
+ACCEPT                 mgmt:$MONITORING        all!wan
+Icinga/ACCEPT          all!wan                         mgmt:$MONITORING
 Icinga/ACCEPT		all:$EXTERNAL_HOSTS  	  	intern:$MONITORING
 Icinga/ACCEPT		intern:$MONITORING	all:$EXTERNAL_HOSTS
 Qnetd/ACCEPT		all!wan				intern:$MONITORING
@@ -160,6 +162,9 @@ ACCEPT                         all                     kube:$METALLB_RADIUS
 # API
 Web/ACCEPT			public:$GITLAB01	fw:$KUBE_API_PUBLIC
 
+# BGP
+BGP/ACCEPT			kube			fw
+
 ##### Kubernetes end
 
 # HAProxy
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 88bb3d10ba888da59abdc8556e3198e920620e0b..db5ced1ba186e8ce069a1cfcb6f1514b3b53db05 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -17,6 +17,7 @@
       - haproxy
       - shorewall
       - shorewall6
+      - bird2
     state: present
 - name: Copy static config files
   ansible.builtin.copy:
diff --git a/roles/firewall/templates/bird.conf.j2 b/roles/firewall/templates/bird.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..88fd68ac915d9e8e70303c6acf95b6ed30adedb6
--- /dev/null
+++ b/roles/firewall/templates/bird.conf.j2
@@ -0,0 +1,28 @@
+log syslog all;
+
+protocol device {
+}
+
+protocol direct {
+	ipv4;			# Connect to default IPv4 table
+	ipv6;			# ... and to default IPv6 table
+}
+
+protocol kernel {
+	ipv4 {			# Connect protocol to IPv4 table by channel
+	      export all;	# Export to protocol. default is export none
+	};
+}
+
+protocol bgp k8s {
+    router id {{ bird_router_id }};
+
+    local as 64567;
+ 
+    ipv4 {
+        import all;
+        export none;
+    };
+ 
+    neighbor range 10.98.1.0/24 as 64512;
+};