https://netmaker.org logo
Join Discord
Powered by
Anyone able to help me with a little bit of unders...
# netmaker
a
Anyone able to help me with a little bit of understanding 1) Ingress Host should it be able to reach the networks without accessing the docker container. So the hosts ip(ingress) is 10.x and the host I am trying to reach is on 192.168.x network(egress) should i be able to do it directly from the host.
j
Is your ingress running in Docker, and have you tried running directly on the host machine? Might be docker networking getting in the way.
a
My ingress is running in docker as it's quick install method.
When I do traceroute for ip that exists on the egress gw it takes the default gw on host with netmaker installed and docker containers.
j
so ingress is on the netmaker server?
a
Yes
I'll send a diagram
right now just trying to see if that tunnel works.
its showing healthy in the interface
I confirmed the egress gw address(192.168.5.x, etc) are typed correctly as well.
The host that has netclient on it can reach the 192.168.5.x netowrk and the 192.168.13.x network on the ports shown.
j
ok, usually I like to test from a few steps to make sure it's working correctly
so first would be to make sure the gateway range is reachable from the ingress machine. So I would exec into docker and make sure you can reach the 192.x egress from there
also need to make sure that the 192.x range is in the AllowedIPs of the Ext Client config that gets generated, so confirm that as well
a
raspy-zero is the egress.
nothing in allowed ip's just egress gateway ranges
I tried to attach to one of the containers before using the docker container attach id and never got a command prompt. What is the correct way to attach to these containers to test this connection?
j
docker exec -it netmaker /bin/bash
a
ok inside the docker node the route it took was correct it used the eggress gw ip.
so it knows where to go. I just can't ping the host I am trying to reach. Which i can ping from the egress gateway where netclient is installed.
so i think the route is at least correct it must be something else.
"In the Netmaker UI, that node is set as an “egress gateway.” Range(s) are specified which this node has access to. Once created, all clients (and all new ext clients) in the network will be able to reach those ranges via the gateway."
i have those ranges in the egress gateway is this doc says.
i added the ip of host on eggress side im trying to reach to the allowed ip's as well.
still no luck with that
j
so the ingress node can't ping the host you are trying to reach? if that doesn't work, definitely wont work from ext clients
you're certain the interface is correct? perhaps there are firewall rules blocking on the egress machine
a
the eggress machine itself can reach.
is there way to test the from the egress machine the route the netclient would try and take to reach the hosts?
i did a package capture on the interface that the egress host is on and i see this form the tunnel -
that generated this in wireguard
j
do " ip route get 192.x" where 192.x is the destination machine past the egress
and confirm that this is the interface you set when creating the egress
a
oh so i have to set it to the vlan id of eth0
eth0.14
not just eth0 maybe
am i correct?
that it now i can ping it.
i didn't see a way to edit the egress to add that interface so I removed it.
and added it back and it works with eth0.14 set
so that was inside the netmaker docker container when i leave it and try direct on the netmaker host it doesn't know where to go.
it tries to go to the gateway address of the netmaker host and doesn't follow the tunnel.
these are the routes on netmaker host
inside the docker container this is the route.
j
yes, the netmaker host will be unable to reach the address. On the netmaker server, we contain all the networking inside of the container, so that it does not screw with anything else running on the machine and it will "play nice" with other hosted applications
if the host needs to reach the egress, then a netclient needs to run on it
a
im confused how you use the ingress point to make it back to the egress point to access services allowed that are on the egress side.
j
ingress should still work even if it's not reachable from the host
a
trying to follow this model somewhat.
j
yes that should be correct, are ext clients still unable to reach egress?
a
I am trying to replicate what cloudflare zero trust allows which i also have tested on the netclient in the picture and I can access home assistant but it doesn't play well with tcp on nvr cause nvr can't have a client installed on it.
correct.
j
ok, but netmaker can now reach the egress range?
a
so i needed a way to access tcp ports and thought netmaker would work.
yes
j
ok, one last thing, check to make sure the ext clients contain the egress range (in allowedips in the config) you may need to delete / recreate them. Or easiest thing might be to just delete/recreate the ingress gateway just to be sure
a
when you say ext clients where is that exactly?
j
those are the client configs you are generating from the UI, in the "ext clients" section
they are just wireguard config files which you run on your device without the netclient
that is the nodes pane; in the side bar you will see "ext clients"
yes, you need to generate clients to use with the ingress gateway
otherwise it does nothing
a
i generated a client with key that is what i put on the netclient side
at the egress gw is that the same thing?
j
I think i misinterpreted what you are trying to do
a
I don't want to put a client on the mobile phone
j
you want to reach a service over the public internet using Netmaker?
a
yes
j
even with the ingress gateway, you still require wireguard
for what you're trying to do, you need a reverse proxy
a
i want seemless integration with home services so i don't have to open ports.
j
Ok, sorry for not understanding, but the ingress gateway will not help here
a
wouldn't that be what HA PRoxy on the opnsense box in red at top would do.
j
it sounds like this is what you are trying to do:

https://www.youtube.com/watch?v=CGw4Kc424VE

I would follow this tutorial; this is the best you'll be able to do with Netmaker for your scenario
a
i kind of followed that but I am using HA proxy on the opnsense box.
because it does tcp
j
gotcha, I think I understand the issue then
so HA proxy is on the same host as netmaker?
a
ha proxy is on the opnsense firewall.
but its pointing to the host with netmaker cause that is where I thought it would gain access back to the egress point.
j
so maybe what you want to do is put the ext client on your opnsense firewall then
and have HA Proxy forward traffic over that interface
a
wonder how well that will play with opnsense.
one of the reasons I did it this way was I wanted to make it easier to control that only my ip's could hit the netmaker dashboard. cause if someone finds a potentially flaw in that code that is an access gw into things.
opnsense allows easy firewall rules to translate dynamic ip hosts for access the netmaker dashboard.
j
a
Where would traefik go on the netmaker hosts itself?
j
traefik is already running if you installed netmaker using the installer script
a
i did
j
so you can just modify the labels inside of the docker compose
a
i am somewhat new to docker so forgive me.
j
no worries, it can be a lot to handle at once, but if you follow that guide, modify the labels inside docker-compose.yml, and then run "docker compose up -d", it should apply the changes
a
i see the ip whitelist option but does it know how to handle a hostname instead of an ip?
j
Oh! Sorry I had a brain fart, we use Caddy now instead of Traefik: https://stackoverflow.com/questions/66357765/caddy-v2-ip-whitelist. Should be even easier, just need to modify the Caddyfile.
a
btw, where is the dockercompose file at?
j
should be under /root/
a
so here is the caddyfile as well
j
Yes. I think you want something like this for domains: https://caddy.community/t/implementing-cors-whitelist-in-caddy-v2/8590
a
ok when i whitelist who has access to the dashboard via cady then i should just remove opnsense and setup an HAProxy in its place?
that has the netclient on it
j
yeah
TBH you could probably go a step further and just use Caddy instead of HAProxy as well
a
ahh so just use caddy on the netmaker box itself to tell it where to go for the apps i am trying to access.
so basically only need 1 VPS.
or are you saying use caddy instead on the other VPS I would have been creating for HAProxy.
So high level this way?
or this way?
j
Yes the simple way
You should be able to do this. You should, I believe, even be able to forward the traffic from caddy to inside of Netmaker, so that it can reach the egress gateway
But if that doesn’t work you may need to run a netclient on the host
a
Ok thanks I'll redo design when I find some more motivation time need to take a breather. Keep making progress little by little.
Learning so new stuff along the way.
Also would be good to have a netmaker plugin for opnsense for certain edge cases like this and be able to create clients, hosts or whatever is needed. Sure there a scenarios where it needs to exist on the firewall. Would eliminate need to hosts sitting behind the firewall
j
Add to the chorus here 😝 been trying to push someone to build it: https://github.com/opnsense/plugins/issues/3094
a
im assuming that if I want to access things on port 443 in this simple setup that I will have to move the dashboard to a different port.
or what it will detected the URL used and forward correctly nevermind.
Is this correct placement in caddy?
PreviousNext
Powered by