Firewall blocks requests between networks

[jonasasx]

Netmaker and Netclient are v0.18.5.

I have a netmaker network 10.1.0.0/24 and two nodes: 10.1.0.1/24 (test1) and 10.1.0.2/24 (test2).
Both of the nodes are egress gateways with networks:

• 10.1.0.1/24 (test1) is egress gw for 10.1.5.0/24 network
• 10.1.0.2/24 (test2) is egress gw for 10.1.6.0/24 network

Netclient sets iptables rules for 10.1.0.1/24 (test1):

-A FORWARD -d 10.1.5.0/24 -i netmaker -m comment --comment NETMAKER -j netmakerfilter
-A netmakerfilter -s 10.1.0.2/32 -d 10.1.5.0/24 -j ACCEPT
-A netmakerfilter -j DROP
-A netmakerfilter -j RETURN

These rules reject all packets from 10.1.6.0/24 network. For example packet from 10.1.6.10 to 10.1.5.10 is forbidden.

1. How can I allow such packets between networks?
2. How can I disable netclient firewall?

[pernetz]

Exact same issue here since upgrade to v0.18.5. I have 4 egress nodes with non of them routing/nating between endpoint networks. However ping inside netmaker network is working fine. Static routes on routers are set.

[OK] Ping from netmaker server to any netclient
[OK] Ping from netclient A to netclient B/C/D
[OK] Ping from netclient A to egress IP of netclient B/C/D
[OK] Ping from netclient A to local router on site B/C/D
[OK] Ping from netclient A to any LAN device on site B/C/D
[FAIL] Ping from any device on LAN A fails to reach netclient egress IP of remote site B/C/D or any device on LAN B/C/D
-- same effect vice versa --

Checked with traceroute and wireshark.
Problem description: Ping request reaches remote point but reply gets blocked.
Temporary solution: Flushing iptables rules/chains via sudo iptables -F makes endpoints reachable.

Netmaker + Netclient on v0.18.6

[vxdzero]

same issue here, removing only drop rule solved for me:

iptables -D netmakerfilter -j DROP

is there any way to edit the firewall rules for nodes on netmaker?

i posted similar question in netmaker git
here

[pernetz]

I am wondering why this iptables DROP rule is added automatically while NAT for egress traffic is enabled. Actually it is blocking site-to-site communication.
Hopefully the Netmaker team will keep an eye on it soon.

[jalbstmeijer]

Having similar issues with 0.19 and docker.

[docker host1] -> [docker netclient1] -> [docker netclient2] -> [docker host2] -> [lan]

The docker host2 has egress to the lan configured with NAT.

In my case I was able to ping the host lan ip of the docker host2 running the netclient2 docker container.
I also was able to connect to services on the host lan ip of the docker host2.
But I could NOT connect to docker services/ports exposed to the host lan ip of the docker host2.
After running this command on docker host2, I was able to connect to docker ports exposed to the host lan ip of the docker host2.

iptables -D netmakerfilter -j DROP

After that I was still not able to ping or connected to services on the egress lan.

Docker sets

-P FORWARD DROP

After following the suggestion at https://docs.docker.com/network/iptables/#docker-on-a-router, running this command on docker host2 made that work too.

iptables -I DOCKER-USER -j ACCEPT

Not saying this is a solution. But for some reason the general Docker forward deny rule seems to byte the netclient forwarding needs.

ps. the netclient docker image is using legacy iptables. If your host uses the newer nf based iptables, you will need to call to do above

iptables-legacy