I think may not need to open an issue, because it was not caused by the netclient or netmaker. After testing, the problem that I can not do a full tunnel with the default postup and postdown is because of the CSF firewall, I must accidentally disable the CSF and then restart docker, that is why I feel the delay and thought it was working. If the host has CSF firewall installed, then should add two following rules, at least this works for me /usr/sbin/iptables -A FORWARD -i nm-interface-name -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT; /usr/sbin/iptables -A FORWARD -i eth0 -o nm-interfacename -m state --state RELATED,ESTABLISHED -j ACCEPT;