netmaker icon indicating copy to clipboard operation
netmaker copied to clipboard

Published 20 hours ago verified publisher icon gravitl

[Bug]: Egress external route range that matches host ip is not added to allowed ips

Open alcroito opened this issue 2 years ago • 11 comments

Contact Details

No response

What happened?

Running 0.20.6 server and a few clients on linux hosts.

Host A is running as an egress node, with the range 10.9.78.0/24 added. It's local IP: 10.9.78.3/24 It's netmaker IP: 10.10.12.4/24

If i try to ping 10.10.12.4 from host B, it works. If I try to ping 10.9.78.3 from host B, I get

PING 10.9.78.3 (10.9.78.3) 56(84) bytes of data.
From 10.10.12.6 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

Running sudo wg show on host B shows that 10.9.78.0/24 is not in the 'allowed ips' section. other egress ip ranges are there. It seems that 10.9.78.0/24 is not added because it's the local subnet of host A.

This used to work with version 0.18-0.19-ish.

Version

v0.20.6

What OS are you using?

Linux

Relevant log output

No response

Contributing guidelines

  • [X] Yes, I did.

alcroito avatar Aug 23 '23 09:08 alcroito

what are the local addresses on hostB

mattkasun avatar Aug 23 '23 11:08 mattkasun

host B has netmaker IP 10.10.12.6 and has a public ipv4 (VPS server) in 159.69.0.0/16 range. No private IP. No NAT involved. I get the same symptoms from other hosts as well, both behind and outside NAT.

alcroito avatar Aug 23 '23 14:08 alcroito

can you post the output of wg show from both nodes

mattkasun avatar Aug 23 '23 14:08 mattkasun

host A

interface: netmaker
  public key: fIGLiXHHfLm8mH483rW6f0Ob2wt3H8BFvd8mbUEgqEM=
  private key: (hidden)
  listening port: 51831

peer: RQ6Wm3G2yO6WTTJ+QDgJ2Jg5tHkoNYzVNnjxyTQgnis=
  endpoint: 82.196.x.y:51869
  allowed ips: 10.10.12.1/32, 10.10.12.254/32, 10.10.12.251/32, 10.10.12.252/32, 10.10.12.250/32, 10.10.12.253/32
  latest handshake: 4 seconds ago
  transfer: 250.11 KiB received, 1.98 MiB sent
  persistent keepalive: every 20 seconds

peer: xmkI4GO5NZU08mv7y/7b447WbdQy7Gn37kZCvKEOGCY= # <------ host B
  endpoint: 127.0.0.1:40430
  allowed ips: 10.10.12.6/32
  latest handshake: 1 minute, 32 seconds ago
  transfer: 153.54 KiB received, 88.84 KiB sent
  persistent keepalive: every 20 seconds

host B

interface: netmaker
  public key: xmkI4GO5NZU08mv7y/7b447WbdQy7Gn37kZCvKEOGCY=
  private key: (hidden)
  listening port: 51822

peer: fIGLiXHHfLm8mH483rW6f0Ob2wt3H8BFvd8mbUEgqEM= # <---- host A
  endpoint: 127.0.0.1:18956
  allowed ips: 10.10.12.4/32, 10.225.0.0/16, 10.9.79.0/24, 10.9.77.0/24
  latest handshake: 38 seconds ago
  transfer: 90.20 KiB received, 156.40 KiB sent
  persistent keepalive: every 20 seconds

peer: RQ6Wm3G2yO6WTTJ+QDgJ2Jg5tHkoNYzVNnjxyTQgnis=
  endpoint: 82.196.x.y:51869
  allowed ips: 10.10.12.1/32, 10.10.12.253/32, 10.10.12.254/32, 10.10.12.251/32, 10.10.12.252/32, 10.10.12.250/32
  latest handshake: 1 minute, 21 seconds ago
  transfer: 63.33 KiB received, 181.85 KiB sent
  persistent keepalive: every 20 seconds

alcroito avatar Aug 23 '23 14:08 alcroito

on host B: what is output of ip route get 10.9.78.3

mattkasun avatar Aug 23 '23 14:08 mattkasun 

$ ip route get 10.9.78.3
10.9.78.3 dev netmaker src 10.10.12.6 uid 1000
    cache

alcroito avatar Aug 23 '23 14:08 alcroito

Facing a similar situation in a clean v0.20.6 server. We use Netmaker to establish an internal network in order to reach a SSH jumper (a simple cloud VM) that bridges connections to other internal machines in the subnet. Up to v0.16.x, after setting the proper allowed IP/range in the egress node (as we just expect the required connections to flow through the VPN, not all traffic) this worked fine. From v0.20.6, the equivalent setup makes the SSH jumper unreachable through the private IP, even though it works using the peer IP from the Netmaker virtual network. Netclient does report the private ("physical") IP as allowed but it's unreachable and tracing the routing towards it suggests that's not going through the Netmaker interface.

ricardofago avatar Sep 11 '23 17:09 ricardofago

@ricardofago @alcroito can you guys upgrade to v0.21.0 it's the latest release and a fix around egress NAT rules has been pushed into the release

abhishek9686 avatar Sep 12 '23 05:09 abhishek9686

I have already updated everything to 0.21. The issue persists, with the exact same details i've described in my original comment. I even tried deleting and re-adding the egress range. It still does not appear in the 'allowed ips' section of wg show.

PING 10.9.78.3 (10.9.78.3) 56(84) bytes of data.
From 10.10.12.6 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

alcroito avatar Sep 12 '23 06:09 alcroito

I have already updated everything to 0.21. The issue persists, with the exact same details i've described in my original comment. I even tried deleting and re-adding the egress range. It still does not appear in the 'allowed ips' section of wg show.

PING 10.9.78.3 (10.9.78.3) 56(84) bytes of data.
From 10.10.12.6 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

did you try running a pull?

abhishek9686 avatar Sep 12 '23 06:09 abhishek9686

Yes, i did. Did not help. The range is still not in the allowed ip list.

alcroito avatar Sep 12 '23 06:09 alcroito