[Bug]: Local machines can't ping each other

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.

https://netmaker.io

Other

9.5k stars 552 forks source link

[Bug]: Local machines can't ping each other #1713

Open cg31 opened 2 years ago

cg31 commented 2 years ago

Contact Details

No response

What happened?

I installed v0.16.1 client on four Ubuntu 22.04 machines, two of them are remote, other two are local and behind the same router.

The local and remote machines can ping each other without problem. But the two local machines just can't ping each other.

As wg showconf shows:

Local 1 shows pear of local 2: [Peer] PublicKey = XU+Jwrt**** AllowedIPs = 10.101.0.9/32 Endpoint = 192.168.50.138:23399 PersistentKeepalive = 20

Local 2 shows pear of local 1: [Peer] PublicKey = MIHErlgst/94u*** AllowedIPs = 10.101.0.20/32 Endpoint = 192.168.50.201:24284 PersistentKeepalive = 20

Because the two local machines are behind the same router, they all have the same prefix and subnet for Endpoint. Is that the problem?

Version

v0.16.1

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

[X] Yes, I did.

mattkasun commented 2 years ago

What is the output of ip route on the lan machines?

cg31 commented 2 years ago

The log on one machine is:

root@ubuntu2:~# ip route
default via 192.168.50.1 dev wlp1s0 proto dhcp src 192.168.50.138 metric 600
10.20.0.0/24 dev nebula proto kernel scope link src 10.20.0.9 mtu 1300
10.101.0.0/16 dev netmaker1 scope link
10.101.0.5 dev netmaker1 scope link
10.101.0.7 dev netmaker1 scope link
10.101.0.8 dev netmaker1 scope link
10.101.0.20 dev netmaker1 scope link
10.101.255.254 dev netmaker1 scope link
10.144.0.0/16 dev zt3jnvzmgl proto kernel scope link src 10.144.181.61
137.184.15.170 via 192.168.50.1 dev wlp1s0
192.168.50.0/24 dev wlp1s0 proto kernel scope link src 192.168.50.138 metric 600
192.168.50.1 dev wlp1s0 proto dhcp scope link src 192.168.50.138 metric 600
203.126.0.111 via 192.168.50.1 dev wlp1s0
root@ubuntu2:~#

It is the same on another local machine, except 10.101.0.20 is replaced with 10.101.0.9, they are IPs for the two local machines.

It is interesting netmaker's IPs are all listed, but other virtual networks only have 10.20.0.0/24 or 10.144.0.0/16.

mattkasun commented 2 years ago

the reason individual ips are listed for netmaker nodes is to make acls easier

on machine with ip 192.168.50.138 what is output of ip route get 192.168.50.201

cg31 commented 2 years ago

It shows

root@ubuntu2:~# ip route get 192.168.50.201
192.168.50.201 dev wlp1s0 src 192.168.50.138 uid 0
    cache
root@ubuntu2:~#

mattkasun commented 2 years ago

pings should happen then

cg31 commented 2 years ago

ping just stuck after showing first line: PING 10.101.0.20 (10.101.0.20) 56(84) bytes of data.

mattkasun commented 2 years ago

what does a traceroute show

cg31 commented 2 years ago

traceroute can't find route after 30 hops: 30 *

Konveksa commented 2 years ago

Experiencing the same problem. Two machines (both linux) are in the same local network (192.168.2.0/24) and one is set as an egress gateway. I believe the problem is due to netclient adding 192.168.2.0/24 dev nm-default scope link to the routing table.

miyu4u commented 2 years ago

localRange seems to do this job, but it doesn't seem to work. I have a local client network band of 10.10.10.0/24 and a local server band of 10.10.30.0/24.

One of the external nodes has an egress configuration to access it local network as 10.10.0.0/16.

Due to this setting, allowedIP is specified as 10.10.0.0/16 and is set to 10.10.0.0/16 via 10.10.30.254 dev eth0 in the ip route.

I temporarily solved this problem by manually modifying the ip route.

ip route del 10.10.0.0/16 dev nm-network
ip route add 10.10.0.0/16 via 10.10.30.254 dev eth0

My understanding of localRange and isLocal is lacking or that their functions are not working.

xulang commented 1 year ago

i have the same problem

fly3rman commented 1 year ago

Hi, ive had a very similar problem and maybe this helps anyone. Check your firewall rules and ports.

Scenario: vserver_1 and vserver_2 in the cloud with reachable ipv4 and homebox_1 and homebox_2 behind gcnat at home. vserver_1 and vserver_2 could be pinged by homebox_1 and homebox_2 without problems. homebox_1 and homebox_2 could not reach each other. Turned out: ive had firewall rules for udp 51821-51830 but also the default setting "dynamic port" on in the netmaker webinterface. Wireguard used some other ports than 51821-51830 on the local machines. After setting the port to static 51821 if worked without problems.