search

gravitl / netmaker

Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
https://netmaker.io
Other
9.4k stars 547 forks source link

allowed ips is not published from a node which is accesable via relay node #498

Closed chefkoch-de42 closed 2 years ago

chefkoch-de42 commented 2 years ago
Node1 : missing allowed ips for egres gw range of node 2
netmaker server: relay for Node1

Node2: egress gw for 192.168.99.0/24

In this network I have 3 more nodes and one external

I could manage this manually via adding allowed ips = 192.168.99.0/23 to netmaker server , so Node 1 is getting the allowed ips range, and then I need to add the ip route add 192.168.99.0/24 via

Is this kind of setup to special for netmaker, or do I need to work with multiple networks?

chefkoch-de42 commented 2 years ago

Any news?

afeiszli commented 2 years ago

Hi, nodes will ignore egress gateway IP ranges if they overlap with a local network range. Does 192.168.99.0/24 overlap with a local network range?

chefkoch-de42 commented 2 years ago

192.168.99.0/24 is the internal network of the node2

afeiszli commented 2 years ago

is it also an internal network of node 1?

chefkoch-de42 commented 2 years ago

no. node1: 192.168.55.10 on eth0 node2: 192.168.99.10 on eth0 and other hosts in that network

Node2 is configured as egress gw for 192.168.99.0/24 to be able to reach other hosts in that network from vpn members.

The needed allowed ips setting is configured on any direct connected host. But node1 cannot reach node2 directly due fw blocks, so I configured netmaker server as relay for node1. The problem is, that node1 does not get the allowed ips "192.168.99.0/24 " to be send via the wg connection to the relay server.

I do not know if this done in the backround, but for my understanding, netmaker needs to collect all allowed ips from nodes, which are not relayed over that relay and need to push them to the relayed hosts.

afeiszli commented 2 years ago

Ahhh ok, I think this is related to #517. We don't populate egress gateway ranges from behind relay right now. We will need to add that in the next release.

chefkoch-de42 commented 2 years ago

For the moment the workarround is: set allowed ips on relay server with (netmask -1) for the netwoks behind nodes And set the routing setting via postup down script

chefkoch-de42 commented 2 years ago

@afeiszli I checked the changelog of 0.9.2 for this but I was not able to find it. (Maybe to dump to do so 😇) Am I correct?

afeiszli commented 2 years ago

This has not been added yet. 0.9.2 was for bug fixes so no new features were added.

afeiszli commented 2 years ago

This should be in place as of 0.9.4. Please let us know if you still experience the issue.