https://netmaker.org logo
Hi all I am having a small issue and was
m

melodic-hospital-87596

03/17/2023, 3:43 PM
Hi all. I am having a small issue and was wondering if you can help me. I have deployed and configured Netmaker on AWS. Server sits in the Public subnet and have launched a few EC2 instances spread across the available Public and Private subnets (same VPC, NAT Gateways in place). All EC2 client instances have Apache running, for testing purposes and appear as Nodes in Netmaker GUI. So far so good. Then i configured the Netmaker instance as an Ingress Gateway. Also, as Egress Gateway where i added the VPC CIDR. I then configured an External client, downloaded the config and setup the Wireguard client in my laptop. The range i have used for my Network in Netmaker is 10.101.0.0/16. And my VPC CIDR is 192.168.100.0/24 And here is the part is giving me a headache. In my laptop i am trying the following: Node-1 is in the Public subnet running Apache. I can access the default page either using http://10.101.0.8/ or using it;s private IP http://192.168.100.20/ Node-2 is in the Private Subnet and i can only load the webpage using http://10.101.0.10/ and not with the AWS assigned private IP Is there a way to be able to access the hosts in Private subnets, when using an external client, by their original IPs? Thanks
j

jolly-london-20127

03/17/2023, 3:49 PM
Let me see if I understaing. I believe the challenge you are facing here is because we ignore egress ranges on devices that have an overlapping CIDR in there local interfaces. So, if Node-1 is the ingress/egress, and you set Egress to the 192 range, this should be reachable from ext clients. However, if Node-1 is egress and Node-2 is Ingress, ext clients would not be able to reach it, because Node-2 will not route requests for 192 to Node-2. Hope that makes sense.
m

melodic-hospital-87596

03/17/2023, 3:56 PM
Thanks for the quick reply @jolly-london-20127 . I have configured Ingress/Egress on the Netmaker Node for testing. So consider that i have 3 Nodes registered in total (Netmaker, Node-1 and Node-2). Can reach Node 1 from my laptop using 192.xx as both Netmaker and Node-1 are in the same Public subnet. But can't reach Node-2 that sits in a Private subnet. Node-2 is only reacheable by it's 10.101.0.8 IP
j

jolly-london-20127

03/17/2023, 3:57 PM
your laptop uses ext client i take it?
m

melodic-hospital-87596

03/17/2023, 3:58 PM
yes. have downlaoded the config and configured wireguard
j

jolly-london-20127

03/17/2023, 3:58 PM
so node-2 is also reachable by ext client, but just using the netmaker IP (10.101.0.8) is that right?
m

melodic-hospital-87596

03/17/2023, 3:58 PM
correct
j

jolly-london-20127

03/17/2023, 3:59 PM
ok, so is node-2 on a separate 192.168.100.0/24 subnet, or is it the same subnet as node-1?
m

melodic-hospital-87596

03/17/2023, 4:01 PM
Node-1 is in the same Public subnet as the Netmaker server. Node-2 is in a different subnet (Private behind a NAT Gateway)
j

jolly-london-20127

03/17/2023, 4:01 PM
gotcha
m

melodic-hospital-87596

03/17/2023, 4:01 PM
but both are in the same VPC /CIDR
j

jolly-london-20127

03/17/2023, 4:02 PM
actually I'm still confused
so are all nodes on the same 192.168.100.0/24 subnet?
m

melodic-hospital-87596

03/17/2023, 4:07 PM
ok. sorry for any confusion, let me clarify it better. All Nodes are in the same VPC with a 192.168.100.0/24 CIDR. Netmaker server and Node-1 are deployed in the Public Subnet that has an IP range of 192.168.100.0/28. Node-2 is deployed in the Private subnet with range 192.168.100.128/28
j

jolly-london-20127

03/17/2023, 4:09 PM
AH, I understand, that explains it
overlapping subnets are a problem for our egress at the moment
So, on the egress machine, there must be two separate interfaces for the two 192 subnets, is that correct?
m

melodic-hospital-87596

03/17/2023, 4:19 PM
the Egress server has an eth0 and local traffic is controlled through AWS routing tables. i will try and create a separate Egress just for the private subnet range and see how it goes. thank you @jolly-london-20127
j

jolly-london-20127

03/17/2023, 4:20 PM
there may be issues for this scenario on the current version, since we sometimes ignore overlapping subnets. However, if you're unable to get it working in the current version, I believe this should be fixed in 0.18, where we no longer require setting an interface for egress.
m

melodic-hospital-87596

03/17/2023, 4:26 PM
thank you. Netmaker is amazing and i am using it a lot in projects. 2 years ago i had to use Terraform, Ansible and Vault to automate a mesh deployment­čść . This one Rocks­čĹĆ