Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Net 1073 - [Docs] Required Firewall rules for netclient [and netmaker server] #314

Closed
wants to merge 17 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions advanced-client-install.rst
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,51 @@
For first time installations, you can run the Install Command. For additional networks, simply run ``netclient join -t <enrollment key>``.


Firewall Settings
======================

On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard.

On Linux, these necessary ports are needed to be opened:

Check warning on line 196 in advanced-client-install.rst

View workflow job for this annotation

GitHub Actions / docs

Explicit markup ends without a blank line; unexpected unindent.

- UDP and TCP ports 51821-51830
- TCP ports 80 and 443

Check warning on line 199 in advanced-client-install.rst

View workflow job for this annotation

GitHub Actions / docs

Unexpected indentation.
- UDP and TCP port 53 for DNS

Check warning on line 201 in advanced-client-install.rst

View workflow job for this annotation

GitHub Actions / docs

Error in "code-block" directive:
In some cases, depending on the nature of your network setup, these ports may need to be opened as well:

- UDP ports 19302 & 3478 for STUN
- TCP port 3479 for TURN
- TCP ports 1883 & 8883 for MQTT
- TCP ports 8083 & 8084 for EMQX Websocket
- TCP port 8081 for the NM API

If the public port is not in the range of 51821-51830, set a static one and allow that port

For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices.

For example, in UFW you may do:

.. code-block::

#set firewall to log only the blocked traffic
ufw logging low

.. code-block::

#clear out the current logs
cat /dev/null | sudo tee /var/log/ufw.log
.. code-block::
​ #reload ufw
ufw reload

.. code-block::
#filter the logs
cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs>



Managing Netclient
=====================

Expand Down
4 changes: 2 additions & 2 deletions install.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ Choose the install method that makes sense for you.
**IMPORTANT:** Notes on Installation
- Due to the high volume of installations, the auto-generated domain has been rate-limited by the certificate provider. For this reason, we **strongly recommend** using your own domain. Using the auto-generated domain may lead to a failed installation due to rate limiting.

**IMPORTANT:** From v0.22.0 the install script will install PRO version of netmaker with a 30-day free trial, for you to try out full capabilities of netmaker.
**IMPORTANT:** From v0.22.0 the install script will install PRO version of netmaker with a 14-day free trial, for you to try out full capabilities of netmaker.

After trial period ends:
=========================

a. if you wish to continue using PRO :-

i. check these steps to obtain pro license `<https://docs.netmaker.io/quick-start.html#extra-steps-for-pro>`_
i. check these steps to obtain pro license `<https://docs.netmaker.io/pro/pro-setup.html>`_
ii. Run `/root/nm-quick.sh -u`

b. if you wish to downgrade to community version
Expand Down
57 changes: 55 additions & 2 deletions manual-install.rst
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,10 @@ At this point you should have all the system dependencies you need.
3. Open Firewall
===============================

Make sure firewall settings are set for Netmaker both on the VM and with your cloud security groups (AWS, GCP, etc).
Netmaker Server
-----------------

Make sure firewall settings are set for Netmaker on the VM and with your cloud security groups (AWS, GCP, etc) or with your router (or firewall appliance).

Make sure the following ports are open both on the VM and in the cloud security groups:

Expand All @@ -104,6 +107,9 @@ Make sure the following ports are open both on the VM and in the cloud security
sudo ufw allow proto tcp from any to any port 3479
sudo ufw allow proto tcp from any to any port 8089
sudo ufw allow 51821:51830/udp
sudo ufw allow proto tcp from any to any port 53
sudo ufw allow proto udp from any to any port 53



It is also important to make sure the server does not block forwarding traffic (it will do this by default on some providers). To ensure traffic will be forwarded:
Expand All @@ -119,6 +125,53 @@ It is also important to make sure the server does not block forwarding traffic (
- allow 3479/tcp from all
- allow 8089/tcp from all
- allow 51821-51830/udp from all
- allow 53/tcp from all
- allow 53/UDP form all


Machines Running Netclient
------------------------------

As we already know, Netclient manages WireGuard on client devices (nodes). As its name suggests, Netclient is a client in a mesh topology, thus it needs to communicate with the server and with the other clients as well. Netclient will detect local changes and send them to the server when necessary. A change in IP address or port will lead to a network update to keep everything in sync.
It goes without saying that in almost all cases it is imperative that firewall must be up and running on any device that is connected to a network, especially the internet. Firewalls are inherently restrictive for good reasons. And by default, it doesn't allow any traffic that Netclient would use to function properly.

On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard.

On Linux, these necessary ports are needed to be opened:

- UDP and TCP ports 51821-51830
- TCP ports 80 and 443
- UDP and TCP port 53 for DNS

In some cases, depending on the nature of your network setup, these ports may need to be opened as well:

- UDP ports 19302 & 3478 for STUN
- TCP port 3479 for TURN
- TCP ports 1883 & 8883 for MQTT
- TCP ports 8083 & 8084 for EMQX Websocket
- TCP port 8081 for the NM API

If the public port is not in the range of 51821-51830, set a static one and allow that port

For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices.

For example, in UFW you may do:

.. code-block::

#set firewall to log only the blocked traffic
ufw logging low

#clear out the current logs
cat /dev/null | sudo tee /var/log/ufw.log

#reload ufw
ufw reload

#filter the logs
cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs>



4. Prepare MQ
========================
Expand Down Expand Up @@ -247,7 +300,7 @@ Extra Steps for Pro
-----------------------------------------------------------------------------------------------------

1. Visit `<https://app.netmaker.io>`_ to create your account on the Netmaker SaaS platform.
2. Create a tenant of type ``self-hosted`` to obtain a license key. more details in :doc:`Netmaker Professional setup <./pro/pro-setup>`
2. Create a tenant of type ``On-Prem`` to obtain a license key. more details in :doc:`Netmaker Professional setup <./pro/pro-setup>`
3. Retrieve Tenant ID and license key from the tenant's settings tab.
4. Place the licence key and tenant ID in the netmaker.env file.
5. In the netmaker.env file, change the METRICS_EXPORTER and PROMETHEUS from off to on.
Expand Down