Hi all. I am having a small issue and was wondering if you can help me. I have deployed and configured Netmaker on AWS. Server sits in the Public subnet and have launched a few EC2 instances spread across the available Public and Private subnets (same VPC, NAT Gateways in place). All EC2 client instances have Apache running, for testing purposes and appear as Nodes in Netmaker GUI. So far so good. Then i configured the Netmaker instance as an Ingress Gateway. Also, as Egress Gateway where i added the VPC CIDR. I then configured an External client, downloaded the config and setup the Wireguard client in my laptop. The range i have used for my Network in Netmaker is 10.101.0.0/16. And my VPC CIDR is 192.168.100.0/24 And here is the part is giving me a headache. In my laptop i am trying the following: Node-1 is in the Public subnet running Apache. I can access the default page either using http://10.101.0.8/ or using it;s private IP http://192.168.100.20/ Node-2 is in the Private Subnet and i can only load the webpage using http://10.101.0.10/ and not with the AWS assigned private IP Is there a way to be able to access the hosts in Private subnets, when using an external client, by their original IPs? Thanks

Let me see if I understaing. I believe the challenge you are facing here is because we ignore egress ranges on devices that have an overlapping CIDR in there local interfaces. So, if Node-1 is the ingress/egress, and you set Egress to the 192 range, this should be reachable from ext clients. However, if Node-1 is egress and Node-2 is Ingress, ext clients would not be able to reach it, because Node-2 will not route requests for 192 to Node-2. Hope that makes sense.

Thanks for the quick reply @jolly-london-20127 . I have configured Ingress/Egress on the Netmaker Node for testing. So consider that i have 3 Nodes registered in total (Netmaker, Node-1 and Node-2). Can reach Node 1 from my laptop using 192.xx as both Netmaker and Node-1 are in the same Public subnet. But can't reach Node-2 that sits in a Private subnet. Node-2 is only reacheable by it's 10.101.0.8 IP

your laptop uses ext client i take it?

yes. have downlaoded the config and configured wireguard

so node-2 is also reachable by ext client, but just using the netmaker IP (10.101.0.8) is that right?

correct

ok, so is node-2 on a separate 192.168.100.0/24 subnet, or is it the same subnet as node-1?

Node-1 is in the same Public subnet as the Netmaker server. Node-2 is in a different subnet (Private behind a NAT Gateway)

gotcha

but both are in the same VPC /CIDR

actually I'm still confused

ok. sorry for any confusion, let me clarify it better. All Nodes are in the same VPC with a 192.168.100.0/24 CIDR. Netmaker server and Node-1 are deployed in the Public Subnet that has an IP range of 192.168.100.0/28. Node-2 is deployed in the Private subnet with range 192.168.100.128/28

AH, I understand, that explains it

the Egress server has an eth0 and local traffic is controlled through AWS routing tables. i will try and create a separate Egress just for the private subnet range and see how it goes. thank you @jolly-london-20127

there may be issues for this scenario on the current version, since we sometimes ignore overlapping subnets. However, if you're unable to get it working in the current version, I believe this should be fixed in 0.18, where we no longer require setting an interface for egress.

thank you. Netmaker is amazing and i am using it a lot in projects. 2 years ago i had to use Terraform, Ansible and Vault to automate a mesh deployment😆 . This one Rocks👏