https://netmaker.org logo
Join Discord
Powered by
netclient egress issues with 10 0 0 8
# client
b
netclient egress issues with 10.0.0/8 subnets. i have a couple setups were the main server is the ingress on a network and a node on that network is an egress. 3 of this network type with egreeses {192.168.15.0/24, 192.168.3.0/24, 192.168.15.0/24} is working without a problem. but if i set up something identical but where the egress is 10.0.2.0/24 it doesn't work
initially i thought it was just something with that node but then i tried on a differnt node but on the same lan and it also didn't work
i then tried on a different network/environment entirely this time with egreess of 10.35.6.0/24 and it also didn't work
but this same type of setup on the same netmaker server where the egreess is 192.168.x.x works
i've been poling around for the last couple hours and i can't find what is causing this
when i run a trace route on the 192.168.x.x egress network the traceroute shows the main server ip -> the node ip which the egress is on -> then the ip that was being pinged ei 192.168.1.1
however the traceroute for an adress in the 10.0.2.0/24 range the first hop is to the main server, and then nothing else, it doesn't hop to the node which the egress is on
which is making me think that this is a netmaker server issue
okay, ive tried everything i can think of, i can ping all nodes, i can ping and traceroute the egress node sucessfully, but when in try to traceroute an ip on the egress the only hop it makes is to the netmaker server, and doesn't make the hop to the node where the egress is
i am pretty sure that this is a netmaker server issue, and i don't know what is causing it
everything is on 0.18.5 all nodes are marked as healthy
b
do you have a netclient running on server machine?
b
yes
b
is it running as a docker container?
b
yep, since i have also tried completely redoplying on a reinstalled os(Ubuntu 20.04)
b
the server is running in a container, but netclient is running on machine itself right?
b
correct
b
could you please paste the output of 
ip a
of that machine?
b
b
which interface you wanted to reach through egress?
b
ahh sorry egress is on another node
ingress however is on that server
heres the node which i am trying to egress out of
Copy code
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 86:84:de:b0:9d:a0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.251/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8484:deff:feb0:9da0/64 scope link 
       valid_lft forever preferred_lft forever
4: netmaker: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.100.2.2/24 brd 10.100.2.255 scope global netmaker
       valid_lft forever preferred_lft forever
b
do you have iptables or nftables setup on your egress machine?
b
no
b
which  iptables
can you run this command on your egress machine and send the output
b
there is no output
for either nftables or iptables
b
you need to install either one of them on the egress machine, that's a requirement i would suggest you to install iptables on the egress machine
b
Copy code
┌──(teleport-admin@REMOVED)-[~]
$ which iptables
┌──(teleport-admin@REMOVED)-[~]
$ sudo apt install iptables
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
iptables is already the newest version (1.8.7-1).
okay now i am undable to ping that node
Copy code
$ sudo wg show
interface: netmaker
  public key: REMOVED
  private key: (hidden)
  listening port: 51821

peer: REMOVED
  endpoint: 172.245.133.173:51821
  allowed ips: 10.100.2.1/32, 10.100.2.253/32, 10.100.2.254/32
  latest handshake: 40 seconds ago
  transfer: 276 B received, 956 B sent
  persistent keepalive: every 20 seconds
Copy code
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 86:84:de:b0:9d:a0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.251/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8484:deff:feb0:9da0/64 scope link 
       valid_lft forever preferred_lft forever
6: netmaker: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.100.2.2/24 brd 10.100.2.255 scope global netmaker
       valid_lft forever preferred_lft forever`
it shows up as healthly on dashboard
i've tried uninstalling netclient reboot and reinstall after iptables installed
other nodes are able to ping it at 10.100.2.2 but not ext clients
ext clients can ping 10.100.2.1
where 10.100.2.1 is the netmaker server where netclient is installed
and 10.100.2.2(egress node) can ping 10.2.100.1(netmakerserver) and vise versa, but ext clients can only ping 10.100.2.1
i added another node 10.100.2.3 and it also can't be pinged by ext client
all nodes can ping each other
b
so is the egress working now?
even on the ingress node you need to install iptables for routing that's a requirement
b
no egress is not working, and ext client can no longer contact any node other then the node that is on the netmaker server
ingress node has ipteables
but all nodes can ping eachother
b
can you send output of these two commands 
iptables -L
iptables -t nat -L
b
wil follow up via email at info@netmaker.io so i don't have to worry about leaking sensitive information in public
b
okay thank you
b
sent
PreviousNext
Powered by