[Bug]: Egress gateway issues within the same IP range

[MatthewReed303]

Contact Details

No response

What happened?

I have separate netmaker networks on complete different IP ranges 10.10.1.0/24 and 10.10.2.0/24. On both of these networks are egress clients who share the same remote IP range, 192.168.10.0/24. The netmaker servers are named differently to prevent conflicts. But looks like I'm still getting conflicts. If I have both setup it works for a bit, but one of the WG interfaces goes down and won't restart. If I remove the other egress it will start fine and both run. Is there something I am setting up wrong or is this expected?

Version

v0.17.1

What OS are you using?

No response

Relevant log output

No response

Contributing guidelines

• Yes, I did.

[mattkasun]

are both of these networks on the same netmaker server? If so, you will have issues trying to create egress gateways that have the same or overlapping egress gateways ranges. There is no way to support this configurations as you cannot create two different routes to the same network range.

[MatthewReed303]

Hi @mattkasun, I have had this working using plain Wireguard. I had a new WG interface per network. For example 10.10.1.0/24 was wg-1 and 10.10.2.0/24 was wg-2 etc and on the egress node I used 1:1 NAT to map wg-1 172.16.1.0/24 --> 192.168.10.1/24 and wg-2 172.16.2.0/24 --> 192.168.10.1/24. Can something like this be setup up with Netmaker?

Basically what I have Is a bunch of remote sites which have PLCs/HMI on the network I need to access. All these sites have the same local IP range. These remote sites IPs can't be changed so got to make it work. When a client needs to connect to the site they just enable there Netclient for that site and have access.

How does Tailscale achieve this? I had a go with there setup a while back and was able to setup 3 remote networks all on the same IP and access them via Tailscale based on which one I was connected to at the time. Thanks!

[mattkasun]

yes, you can do it as long as you are only connected to one of the networks (with the same egress range) at the same time.

the only issue (pre v0.18.x versions of netmaker/netclient) is the node on the netmaker server as it is always connected to all networks. The multiple routes to the same ip range will affect this node but as long as you do not use this node as a gateway it should not affect other nodes.

[MatthewReed303]

@mattkasun the nodes with egress gateways need to stay connected all the time as the clients have no way to turn these nodes on and off. They can only switch on there connection I give them access to on there local PC via the netclient.

I see I would have thought being on different netmaker networks they would be completely isolated to only that network. In v0.18 has this all been changed? When will the official release of v0.18 be available? Thinking I may be best to wait for this version and then try to get this all working.

Another thought is it possible to run multiple docker containers of just the netmaker server for each network? Thanks

[mattkasun]

the nodes with the egress can stay connected all the time. The node that you use to connect to the egress range can only be on one network at at time.

egress1 on network1, egress2 on network2....
laptop that you use to access machines on the egress lan ... This node can only be on either network1 or network2 but not both at the same time ... easy to do with netclient connect/disconnect.

on laptop
netclient join network1
netclient disconnect network1
netclient join network2

laptop has access to egress range on network2 ... to switch to egress range on network1
netclient disconnect network2
netclient connect network1

the reason laptop cannot be connected to both networks at the same time is there is no way for it figure out if traffic to the egress range should go via network1 or network2.

a formal release of v0.18.X is expected this week

[MatthewReed303]

@mattkasun will give it another go. I understand same pc can't be connected to both. But the conflict happened in the server it self when no clients were connected. Only the egress gateways on the 2x networks. I would assume this is because of

node on the netmaker server as it is always connected to all networks

My guess is the routing on the Netmaker server was trying to route the server to both 192.168.10.0/24 networks?

For example my home lab network is on 192.168.10.0/24 and the other remote network on 192.168.10.0/24 and if I go into Netmaker server shell and ping live devices on these networks I can access devices on both networks from the netmaker shell... Now the issue is if any of these devices shared the same IP there would be an IP conflict.

So I take it in the v0.18 this is now different and the networks will be isolated? How is this being managed? Thanks

[mattkasun]

in version v0.18 there is no node on the server by default but you can install netclient or docker-netclient on the server... in either case, this node is just a normal node and has to join networks explicitly, it does not join networks automatically.

v0.18 also has the concept of default nodes.... once a node is set as a default node (and there can be multiple default nodes) the default node(s) will automatically be added to any new networks created.

to achieve the same behaviour as previous version of netmaker, one would designate the server node as a default node and it would then automatically join all new networks as they are created.

[mattkasun]

to clarify the problem with two network ranges that overlap..... forget about wireguard and netmaker... just look at it from with normal networking:

lets say you have two routers: one at 10.10.10.1 and one at 10.20.20.1 and both provide access to a lan 192.168.1.0/24

if I am on a machine that has access to both routers (ie. I have ip addresses 10.10.10.2 and 10.20.20.2 - doesn't matter if these are on the same nic or different nics)
I create a route the the first lan
ip route add 192.168.1.0/24 via 10.10.10.1 dev eth0
now I want to create a route to via the second router
ip route add 192.168.1.0/24 vi 10.20.20.1 dev eth0 ---- this will fail as the route (to 192.168.1.0/24) already exists.

with wireguard it is no diffferent except the interface is a wireguard interface instead of a nic

[MatthewReed303]

Thanks @mattkasun that makes sense when I look at it the way you have described. I was under the impression being different interfaces for example eth0 and eth1 it would work. If I was in network 10.10.10.1 I would be accessing devices via the eth0 interface and if I was then in network 10.20.20.1 I would access devices via the eth1 interface. Looks like I need to refresh up and get better at understanding networks and routing.

Now on v0.18 would I just create all my existing networks and each network has it's own default node? or no node at all? since I just want to connect to egress devices from a netclient?

I currently use the netmaker server as relay node also since my remote devices are on cellular networks and won't work without using relay. How will this work in v0.18 if there is no node on the server? Thanks