https://netmaker.org logo
Join Discord
Powered by
Hello everyone. May I ask a question here that is ...
# netmaker
d
Hello everyone. May I ask a question here that is not clear to me from the doc? My Netmaker works, Egress into the local LAN also works wonderfully. But how can a client WITHOUT an agent in the local LAN communicate with a device in the Netmaker network? I tried to set a static route to the egress gateway on the client, but that doesn't seem to be enough. Local-LAN 10.0.0.0/24 Netmaker 10.0.10.0/24 Egress-Node 10.0.0.100/10.0.10.1 Netmaker Server 10.0.10.254 Not working: Client-Local-LAN -> route add 10.0.10.0 mask 255.255.255.0 10.0.0.100 Ping Client-Local-Lan -> 10.0.10.254 fails
b
Every machine needs a wire guard public/private key pair to communicate to other wireguard peers. You could make the egress gateway both an ingress and egress gateway and use extclients. Can also be down with additional firewall rules on egress gateway.
d
is the ingress not only for external wireguard clients?
I want to allow/route the whole lan network back to my netmaker network ...
i.e. via a static route on the router/gateway for the client-local lan
b
Then you need firewall rules on the egress to NAT the traffic from lan to wireguard network
d
ah okay ... that was the missing piece of the puzzle. incoming rule for the traffic. But it's not something thas integrated in the netmaker ui or configuration.
So I haven't missed anything.
b
What firewall is on your egress?
Iptables or nftables
d
nftables / debian bullseye
b
What are the postup commands on egress. If you enabled masquerade, it should just work
Also, how did you set you static route?
d
in the postup field: Uneditable by default to disable RCE. Commands to run after the interface is created. If an ingress or egress gateway are created, this field will populate automatically with appropriate iptables commands.
for testing I add a static route to a windows client that points tot the egress client in the lan (route add 10.0.10.0 mask 255.255.255.0 10.0.0.100)
but the goal shoud be, that the gw of the local lan (10.0.0.1) has a static route and sends all the traffic for 10.0.10.0/24 to the debian egress gateway back
then this would be the perfect two way communication between the devices at home and the devices outside and road warriors
b
You need a gw in your route add command
d
on windows it should work
b
route add 10.0.10.0/24 via gw lan address of gateway
d
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2 Ziel^ ^Maske ^Gateway Metrik^ ^ Schnittstelle^
sorry was from a german windows client
this is from the examples of route add on windows 10
b
You need to use the lan address of your gateway not the wireguard address
d
when I add the static route, and ping 10.0.10..254 (netmaker server), only reachable behind the local debian netmaker host, I see the icmp packages are incoming ...
oute add 10.0.10.0 mask 255.255.255.0 10.0.0.100 was my command
client (10.0.0.30 --> to debian egress 10.0.0.100/10.0.10.100)
b
But you don't have an existing route to 10.0.0.100
What is lan IP of debian machine
d
10.0.0.100
b
That is its wireguard address
d
no ..you mix it
Local-LAN 10.0.0.0/24 Netmaker 10.0.10.0/24 Egress-Node 10.0.0.100/10.0.10.1 Netmaker Server 10.0.10.254
egress node is the debian one
b
What is the cidr for you wireguard network
d
both /24
local and wireguard
b
You egress has at least two ip. 10.0.0.x and 10.0.10.x
d
correct
the one in the local lan, and one in the netmaker network
b
You route command should look like (on !inux) route add 10.0.10.0/24 via gateway 10.0.0.100
d
correct, or on windows route add 10.0.10.0 mask 255.255.255.0 10.0.0.100
b
Should work unless you disabled masquerade on the egress
d
okay ... you think It should know what to do with the packages that are incoming from the lan side, when they not originaly sourced from the netmaker lan ...
I will try it again with a static route on my firewall/router
b
That is why you need the masquerade
d
I just didn't want to search any longer in case I had forgotten to configure something on the part of netmaker 😄
ok, I try it again and give back feedback
thanks for your help to this point 😄
oh man ... I added a single gateway (the lan ip of the debian egress node) on the opnsense firewall, set the static route to it for the /24 netmaker network AND added a firewall rule LAN to 10.0.10.0/24 ... and now it works ...
So as a rule of thumb you can say that an egress node can not only send traffic INTO the corresponding network but also receive traffic back FROM the local network.
f
does anyone have experience with netmaker and CG-NAT? I see it should work with relay nodes but it des not for me I am not sure what i might be doing wrong
Answering myself - I bogged port forwarding on my VPS. It looks like I don't even need a relay!
4 Views
PreviousNext
Powered by