New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In the example config.yml it mentions defining subnets in a node's certificate - how is this done? #142
Comments
With nebula-cert when you create the cert for that node, i.e.:
|
Comment,
|
What are your subnets that you are trying to add to unsafe_routes? |
yes I have the subnets added to unsafe_routes. but his question was
which differs from your example by leaving the last octet "0" instead of "1" |
@lightngn |
Follow-up question. Given this
Do the groups for the certificate on that node also get propogated to the protected subnet, e.g.: firewall:
inbound:
- port: 22
protocol: tcp
groups: backup_hosts # Effective 192.0.2.15 + 203.0.113.0/24 OR do we need to specify it by IP, like this: firewall:
inbound:
- port: 22
protocol: tcp
cidr: 203.0.113.0/24 |
The rules directly affect the 'unsafe_route' subnet(s) as well. Ie, if you allow port 22 inbound to 192.0.2.15, you are allowing port 22 to everything behind it at 203.0.113.0/24 as well. Because we don't want to be in the business of running as a general purpose firewall, I'd recommend folks use iptables or similar if they want to further restrict things over unsafe_routes. |
Do we need to treat the nebula host as a router, and add static routes towards the Nebula IP pool, or does it hide-NAT behind the IP of the nebula host? Also, if we must route to the nebula pool, does this mean that the unsafe hosts can directly address the nebula node? e.g.: Given a Nebula "Client" (192.0.2.10), a Nebula "Router" (192.0.2.15 / 198.51.100.15) and an Unsafe "Server" 203.0.113.10, does the Server see traffic from 192.0.2.10 or 198.51.100.15? Can the Server initiate traffic to the client? I would assume it's likely to be the case that we'll have to route to the Nebula addresses (which is fine), but just wanted to check... |
In the case of unsafe_routes, the server will see the traffic from its real origin, in this case 192.0.2.10. This also works in reverse as long as the unsafe_route configuration exists on all nodes participating. I.e. if you have a cert on the nebula router "192.168.0.15" with the subnet defined, but you don't set an unsafe_route in 192.168.0.10's configuration, the routes won't be set up and the traffic will fail. |
Two quick question as it is not quite clear from the example config. Do unsafe routes only need to exist on the "via" nodes cert and the client nodes you want to consume the route? Secondarily, should the route be injected into the client nodes routing table once the tunnel comes up? IE: Client Node1 "via" Node1 (172.34.10.1) "via" Node2 (172.34.10.4) I ask as with this config I see no modification to any routeing table and when adding route manually no route specific traffic passed. |
Do I need to do anything else on the "via" nebula node? Now after added the subnet to its cert, I can ping its IP in that subnet but unable to reach other hosts in that subnet. |
They only need to exist on the "via" node's cert. There is a guide on setting up unsafe_routes here: https://nebula.defined.net/docs/guides/unsafe_routes/#prerequisites Please feel free to re-open / ping if you have further questions. |
I read a line in the example config.yml file that says:
How is this done?
The text was updated successfully, but these errors were encountered: