From f8933fc0a1654a14f487b6ae62d9ab198a8a3935 Mon Sep 17 00:00:00 2001
From: NEETweeb <dentadlp@gmail.com>
Date: Thu, 18 Jul 2024 01:22:10 +0800
Subject: [PATCH] moved-netclient-firewall-settings-guide-to-netclient-page

---
 advanced-client-install.rst | 41 ---------------------------------
 netclient.rst               | 46 +++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 41 deletions(-)

diff --git a/advanced-client-install.rst b/advanced-client-install.rst
index c4e4edf9..f35311e6 100644
--- a/advanced-client-install.rst
+++ b/advanced-client-install.rst
@@ -188,47 +188,6 @@ An admin creates an enrollment key in the "Enrollment Keys" section of the UI. U
 For first time installations, you can run the Install Command. For additional networks, simply run ``netclient join -t <enrollment key>``.
 
 
-Firewall Settings
-======================
-
-On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard.
-
-On Linux, these necessary ports are needed to be opened:
-
-- UDP and TCP ports 51821-51830
-- TCP ports 80 and 443
-- UDP and TCP port 53 for DNS
-
-In some cases, depending on the nature of your network setup, these ports may need to be opened as well:
-
-- UDP ports 19302 & 3478 for STUN
-- TCP port 3479 for TURN
-- TCP ports 1883 & 8883 for MQTT
-- TCP ports 8083 & 8084 for EMQX Websocket
-- TCP port 8081 for the NM API
-
-If the public port is not in the range of 51821-51830, set a static one and allow that port 
-
-For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices.
-
-For example, in UFW you may do:
-
-.. code-block::
-
-  #set firewall to log only the blocked traffic
-  ufw logging low
-
-  #clear out the current logs
-  cat /dev/null | sudo tee /var/log/ufw.log
-
-  #reload ufw
-  ufw reload
-
-  #filter the logs
-  cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs> 
-
-
-
 Managing Netclient
 =====================
 
diff --git a/netclient.rst b/netclient.rst
index e390c7b8..ebde4ad4 100644
--- a/netclient.rst
+++ b/netclient.rst
@@ -204,6 +204,52 @@ By using this method, you can run many netclients on the same host and just incr
 
 
 
+******************
+Firewall Settings
+******************
+
+Netclient manages WireGuard on client devices (nodes). As its name suggests, Netclient is a client in a mesh topology, thus it needs to communicate with the server and with the other clients as well. Netclient will detect local changes and send them to the server when necessary. A change in IP address or port will lead to a network update to keep everything in sync.
+It goes without saying that in almost all cases it is imperative that firewall must be up and running on any device that is connected to a network, especially the internet. Firewalls are inherently restrictive for good reasons. And by default, it doesn't allow any traffic that Netclient would use to function properly.
+
+On Windows machines, it is possible to allow programs or applications through the firewall. Thus you might want to allow Netclient and, depending on your setup, WireGuard.
+
+On Linux, these necessary ports are needed to be opened:
+
+- UDP and TCP ports 51821-51830
+- TCP ports 80 and 443
+- UDP and TCP port 53 for DNS
+
+In some cases, depending on the nature of your network setup, these ports may need to be opened as well:
+
+- UDP ports 19302 & 3478 for STUN
+- TCP port 3479 for TURN
+- TCP ports 1883 & 8883 for MQTT
+- TCP ports 8083 & 8084 for EMQX Websocket
+- TCP port 8081 for the NM API
+
+If the public port is not in the range of 51821-51830, set a static one and allow that port 
+
+For advanced use cases, you might need to view your device's firewall logs, or in case of Netclients behind a NAT, your Firewall-Appliance/Router's firewall logs. Look for blocked traffic coming in and out having origin/destination IPs of your devices.
+
+For example, in UFW you may do:
+
+.. code-block::
+
+  #set firewall to log only the blocked traffic
+  ufw logging low
+
+  #clear out the current logs
+  cat /dev/null | sudo tee /var/log/ufw.log
+
+  #reload ufw
+  ufw reload
+
+  #filter the logs
+  cat /var/log/ufw.log | grep -e <netmaker server IP> -e <other nodes' IPs> 
+
+
+
+
 ******************
 Joining a Network
 ******************