Two network egress issue
# clienth
handsome-lifeguard-70799
04/25/2023, 4:45 PMa few issues still with this v18 sever/client for me. 1) 18.7 client seems to have lost all egress functionality. two different networks, different locations. I can ping the egress nodes on their wireguard interfaces, but the egress ranges are unresponsive, although an existing external client still has connectivity 2) the existing nodes from 18.5 and 18.6 don't show the new 18.7 client versions in the dashboard. 3) My linux and synology hosts are trying to checkin to an old server that I was testing with a different domain: dashboard.netmaker-test.my.net. They were properly removed from the networks (leave, uninstall) but the routes still show with ip a). They pull the correct server, but then hang for 20 seconds or so, and then report the old server as unresponsive 4) windows client commands give no feedback in the shell, but pull seems to work at least - no help or other options available 5) 18.7 server ui no longer has an option to set the default external client dns server which I gather is deprecated. The existing default DNS server for my main network is still visible in the network details in the ui, but cannot be removed or edited. 6) back to an issue apparent since v16: a host runnign netclient on the same network as an egress gateway loses connectivity to the netmaker server (dashboard, ssh) until the client is diconnected. this was possible in the old netclient ui, but disconnecting the network in the v18+ ui has no effect. disabling the interface in the windows network connections does restore access to the dashboard and ssh connectvity to the server. 7) I cannot create new external clients on the upgraded egress gateway, just hangs with pending - I imagine that deleting the existing external clients and recreatign the egress node might fix this if something big has changed, but this causes a few issues for my environment. I will try to test after hours and revert to a snapshot if it all goes wrong. 8) I'm sure it's going to be awesome again soon!
j
jolly-london-20127
04/25/2023, 5:02 PMthank you for the feedback, this is very helpful. We're aware of several of these and are working on fixes. For #1, can you share information about the iptables and nftables available on the host? There are known issues with conflicts between iptables and nftables that we are hoping to resolve in the next release.
h
handsome-lifeguard-70799
04/25/2023, 5:06 PMHi @jolly-london-20127 iptables v1.8.7 (nf_tables) on Ubuntu 22.04
handsome-lifeguard-70799
04/25/2023, 5:08 PMAnything else that would help? I'm not too familiar with iptables/nf_tables
j
jolly-london-20127
04/25/2023, 5:09 PMCan you check if iptables-legacy or iptables-nft are available?@bored-island-21407 anything you can add?
h
handsome-lifeguard-70799
04/25/2023, 5:09 PMThose commands are not available
b
bored-island-21407
04/25/2023, 5:10 PMI would like to see the routing table on the egress and the allowed ips on a node that cannot connect to the egress range
bored-island-21407
04/25/2023, 5:10 PMso only nft?
h
handsome-lifeguard-70799
04/25/2023, 5:11 PMnftables v1.0.2 (Lester Gooch)
b
bored-island-21407
04/25/2023, 5:11 PMwhat is output of
nft list ruleseth
handsome-lifeguard-70799
04/25/2023, 5:12 PMI have to go back to 17.1 to get back to the network with that egress node. couple of mins
handsome-lifeguard-70799
04/25/2023, 5:15 PM Copy code
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
xxx.xxx.xxx.200 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.12.14.0 0.0.0.0 255.255.255.0 U 0 0 0 netmaker
10.20.30.254 0.0.0.0 255.255.255.255 UH 0 0 0 netmaker
xxx.xxx.xxx.196 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
xxx.xxx.xxx.127 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
xxx.xxx.xxx.127 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
xxx.xxx.xxx.175 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
xxx.xxx.xxx.49 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0handsome-lifeguard-70799
04/25/2023, 5:16 PMNot sure the formatting is too good here. I can send it another way if you can't copy it out
handsome-lifeguard-70799
04/25/2023, 5:17 PMThis is the egress gateway that also tries to reach 10.20.30.0 which was an early test of 18.4
b
bored-island-21407
04/25/2023, 5:17 PMwhat is your egress range cidr
bored-island-21407
04/25/2023, 5:18 PMare you trying to get a v0.18.x node to talk to a v0.17.1 egress?
h
handsome-lifeguard-70799
04/25/2023, 5:22 PMNo, but I have a 17.1 egress node on a different network and server behind the same NAT
handsome-lifeguard-70799
04/25/2023, 5:23 PMthe egress range is 192.168.1.0/24
b
bored-island-21407
04/25/2023, 5:25 PMthe last line in your routing table does not make sense to me
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
bored-island-21407
04/25/2023, 5:25 PMcan you actually connect to anything on the egress range from the egress node? I should think not with that routing rule
h
handsome-lifeguard-70799
04/25/2023, 5:27 PMWell external clients can connect. i can reach the webui of servers behind that NAT. other clients not
b
bored-island-21407
04/25/2023, 5:28 PMnvm mind that is just the way route presents info.....
can you provide the output of
ip routeroute -nh
handsome-lifeguard-70799
04/25/2023, 5:30 PMdefault via 192.168.1.1 dev eth0 proto static
xxx.xxx.xxx200 via 192.168.1.1 dev eth0
10.12.14.0/24 dev netmaker proto kernel scope link src 10.12.14.2
10.20.30.254 dev netmaker
xxx.xxx.xxx.196 via 192.168.1.1 dev eth0
xxx.xxx.xxx.127 via 192.168.1.1 dev eth0
xxx.xxx.xxx.127 via 192.168.1.1 dev eth0
xxx.xxx.xxx.175 via 192.168.1.1 dev eth0
xxx.xxx.xxx.49 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.69
b
bored-island-21407
04/25/2023, 5:30 PMI am totally confused on what you are telling me... ext clients can connect ?? to what .. where is the ingress in this picture?
h
handsome-lifeguard-70799
04/25/2023, 5:30 PMon the same node as the egress
b
bored-island-21407
04/25/2023, 5:30 PMso the node is both an ingress and a egress
h
handsome-lifeguard-70799
04/25/2023, 5:30 PMyes
b
bored-island-21407
04/25/2023, 5:30 PMok, got it
bored-island-21407
04/25/2023, 5:31 PMwhat is output of
nft list ruleseth
handsome-lifeguard-70799
04/25/2023, 5:32 PMhandsome-lifeguard-70799
04/25/2023, 5:34 PMUnfortunately I have to go and do some parenting. I'll try to check back soon, so let me know if there's anything else I can send through that would help
b
bored-island-21407
04/25/2023, 5:35 PMlet me know when you are back; I have two workarounds for this issue (actually just submitted PR for this exact issue this morning) but I need to explain them to you and then you can choose.
bored-island-21407
04/25/2023, 5:36 PMwould like to also go over your other points sometime
h
handsome-lifeguard-70799
04/25/2023, 5:37 PMOk, great. Glad you can match it to something you have identified and that you have a solution. I'd be happy to test, but some hungry children to attend to just now. Will drop you a line later on
handsome-lifeguard-70799
04/26/2023, 10:51 AMhey @bored-island-21407 . I'm at my desk for the next few hours (UK time), if you're available. otherwise I'll be online in your afternoon
b
bored-island-21407
04/26/2023, 11:34 AMtied up with meeting most of morning
2 Views