From f8933fc0a1654a14f487b6ae62d9ab198a8a3935 Mon Sep 17 00:00:00 2001 From: NEETweeb <dentadlp@gmail.com> Date: Thu, 18 Jul 2024 01:22:10 +0800 Subject: [PATCH] moved-netclient-firewall-settings-guide-to-netclient-page --- advanced-client-install.rst | 41 --------------------------------- netclient.rst | 46 +++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 41 deletions(-) diff --git a/advanced-client-install.rst b/advanced-client-install.rst index c4e4edf9..f35311e6 100644 --- a/advanced-client-install.rst +++ b/advanced-client-install.rst @@ -188,47 +188,6 @@ An admin creates an enrollment key in the "Enrollment Keys" section of the UI. U For first time installations, you can run the Install Command. For additional networks, simply run ``netclient join -t <enrollment key>``. -Firewall Settings -====================== - -On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard. - -On Linux, these necessary ports are needed to be opened: - -- UDP and TCP ports 51821-51830 -- TCP ports 80 and 443 -- UDP and TCP port 53 for DNS - -In some cases, depending on the nature of your network setup, these ports may need to be opened as well: - -- UDP ports 19302 & 3478 for STUN -- TCP port 3479 for TURN -- TCP ports 1883 & 8883 for MQTT -- TCP ports 8083 & 8084 for EMQX Websocket -- TCP port 8081 for the NM API - -If the public port is not in the range of 51821-51830, set a static one and allow that port - -For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices. - -For example, in UFW you may do: - -.. code-block:: - - #set firewall to log only the blocked traffic - ufw logging low - - #clear out the current logs - cat /dev/null | sudo tee /var/log/ufw.log - - #reload ufw - ufw reload - - #filter the logs - cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs> - - - Managing Netclient ===================== diff --git a/netclient.rst b/netclient.rst index e390c7b8..ebde4ad4 100644 --- a/netclient.rst +++ b/netclient.rst @@ -204,6 +204,52 @@ By using this method, you can run many netclients on the same host and just incr +****************** +Firewall Settings +****************** + +Netclient manages WireGuard on client devices (nodes). As its name suggests, Netclient is a client in a mesh topology, thus it needs to communicate with the server and with the other clients as well. Netclient will detect local changes and send them to the server when necessary. A change in IP address or port will lead to a network update to keep everything in sync. +It goes without saying that in almost all cases it is imperative that firewall must be up and running on any device that is connected to a network, especially the internet. Firewalls are inherently restrictive for good reasons. And by default, it doesn't allow any traffic that Netclient would use to function properly. + +On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard. + +On Linux, these necessary ports are needed to be opened: + +- UDP and TCP ports 51821-51830 +- TCP ports 80 and 443 +- UDP and TCP port 53 for DNS + +In some cases, depending on the nature of your network setup, these ports may need to be opened as well: + +- UDP ports 19302 & 3478 for STUN +- TCP port 3479 for TURN +- TCP ports 1883 & 8883 for MQTT +- TCP ports 8083 & 8084 for EMQX Websocket +- TCP port 8081 for the NM API + +If the public port is not in the range of 51821-51830, set a static one and allow that port + +For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices. + +For example, in UFW you may do: + +.. code-block:: + + #set firewall to log only the blocked traffic + ufw logging low + + #clear out the current logs + cat /dev/null | sudo tee /var/log/ufw.log + + #reload ufw + ufw reload + + #filter the logs + cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs> + + + + ****************** Joining a Network ******************