Title
b
big-wolf-4507
09/26/2022, 6:57 PMWith the 0.16.0-2 clients and the changes to the dynamic port settings from my thread above, everything seems to be working with the exception of egress via one of the nodes. When I look at the wireguard config on the other nodes I don't see the egress subnet listed under the allowed ips for the egress node. Any thoughts as to what to try here?
b
bored-island-21407
09/26/2022, 7:03 PMwhen you create the egress are there any errors in netmaker or netclient on the egress node
b
big-wolf-4507
09/26/2022, 7:17 PMYeah, I didn't realize until just now, but yeah, that node crashes when I add the egress route. No errors on the server side but the last bit of the netclient log is this:
Which seems weird given that checking nft rules I see that netmaker already has some content in that chain:
table ip nat {
...
chain postrouting {
oifname "<nm-interface-name>" counter packets 0 bytes 0 masquerade
}
...
}b
big-wolf-4507
09/26/2022, 7:30 PMSure, the peers look normal so I'll omit tha part and just post the interface section with the firewall commands:
[Interface]
PrivateKey = <private-key>
ListenPort = 50821
Address = 10.28.0.4
PostUp = nft add table ip filter
PostUp = nft add chain ip filter FORWARD
PostUp = nft add rule ip filter FORWARD iifname <nm-interface-name> counter accept
PostUp = nft add rule ip filter FORWARD oifname <nm-interface-name> counter accept
PostUp = nft add table nat
PostUp = nft add chain nat postrouting
PostUp = nft add rule ip nat postrouting oifname <nm-interface-name> counter masquerade
PostUp = nft add chain ip filter forward
PostUp = nft add rule filter forward ct state related,established accept
PostUp = nft add rule ip filter forward iifname <nm-interface-name> accept
PostUp = nft add rule ip filter forward oifname <nm-interface-name> accept
PostUp = `nft 'add chain ip nat prerouting { type nat hook prerouting priority 0 ;}'`
PostUp = `nft 'add chain ip nat postrouting { type nat hook postrouting priority 0 ;}'`
PostUp = nft add rule ip nat postrouting oifname enp3s0 counter masquerade
PostDown = nft flush table filter
PostDown = nft flush table natFor reference the egress is set to be 10.25.0.0/16
I mean if I just run
netclient pullb
bored-island-21407
09/26/2022, 9:29 PMby any chance is that node both an ingress and an egress
b
big-wolf-4507
09/26/2022, 9:29 PMIt is
b
bored-island-21407
09/26/2022, 9:29 PMwhich order did you create them
b
big-wolf-4507
09/26/2022, 9:29 PMIngress first
b
bored-island-21407
09/26/2022, 9:30 PMtry doing it in the other order -- we had a bug with iptables rules when the ingress was created first ; maybe the same thing with nftables
10.25.0.0/16 doesn't overlap with any networks on the other nodes does it
b
big-wolf-4507
09/26/2022, 9:36 PMNo dice taking down the ingress gw and just doing egress first before adding back ingress. Same error in the logs as before (needing
netclient pullb
big-wolf-4507
09/26/2022, 9:52 PMwg-quick upError: Could not process rule: File exists
add chain ip nat postrouting { type nat hook postrouting priority 0 ;}
^^^^^^^^^^^It seems like any updates sent to that node cause it to go offline until I kick it with
netclient pullb
bored-island-21407
09/26/2022, 9:53 PMit comes up ok if you do a netclient pull?
b
big-wolf-4507
09/26/2022, 9:54 PMYeah
b
bored-island-21407
09/26/2022, 9:55 PMthat does not make any sense to me (I believe you, just can't figure out what is going on)
your node and server are the same version?
b
big-wolf-4507
09/26/2022, 9:56 PM0.16.0 server and 0.16.0-2 for all the clients. I assumed the -2 patch was just for the clients.
b
bored-island-21407
09/26/2022, 9:57 PMyes ---- the binary is the same but some of the other files in the deb package changed.
b
big-wolf-4507
09/26/2022, 9:58 PMSo I should try to upgrade the server?
b
bored-island-21407
09/26/2022, 9:58 PMand after you do a pull, other nodes still don't have 10.15.0.0/16 as an allowedip?
b
big-wolf-4507
09/26/2022, 9:59 PMOh and looking at some of the other nodes it looks like there is a route for the 10.25.0.0/16 subnet now. I think adding the egress first worked for the other nodes that aren't being relayed by that same node
b
bored-island-21407
09/26/2022, 9:59 PMserver should be fine;;;;; but you could do a docker-compose pull; docker-compose up -d
can you provide a screenshot of your network graph (from netmaker ui)
ace and apogee are ext clients?
b
big-wolf-4507
09/26/2022, 10:04 PMWhen I dropped the ingress for the node all the ext clients went away and I haven't readded them. ace and apogee are relayed via orem-dc-gw
b
bored-island-21407
09/26/2022, 10:04 PMoh.. so you are using that one node as an ingress/egress and a relay
b
big-wolf-4507
09/26/2022, 10:04 PMRight.
b
bored-island-21407
09/26/2022, 10:06 PMhave you tried making one of the other nodes the relay for ace and apogee?
though what you are doing should work
b
big-wolf-4507
09/26/2022, 10:07 PMOrem-dc-gw has an external ip and static port. Most of the others are rely on udp hole punching
b
bored-island-21407
09/26/2022, 10:07 PMgotcha.... the other choice would be to use netmaker-1 as the relay
do all the other nodes have the egress range in their allowedips
b
big-wolf-4507
09/26/2022, 10:16 PMYes, since I re-added the egress before the ingress on that node the other nodes get their routes set correctly for 10.25.0.0/16
It's just the relayed nodes that can't.
If I make another node that's close there be the egress instead then the relayed nodes also get routes for the egress.
So I guess this is solved, thanks for your insight @bored-island-21407 !
b
bored-island-21407
09/26/2022, 11:28 PMGlad to help
b
big-wolf-4507
09/27/2022, 2:42 AMThough, this technically should work with a node being both a relay and an egress gateway right? Is there any other testing that would be useful to ascertain if this is a bug? E.g., should I open a GH issue or anything? And I guess the ingress/egress creation order bug is already tracked somewhere?
b
bored-island-21407
09/27/2022, 2:44 AMAn issue for the relay/egress combo would be good. PR already submitted for the ingress/egress issue