I have a remote two node VE cluster, with a ZeroTier network with ZT nodes at the main router (ZT client) and also on hosts within the network, either in the VE cluster or just regular hosts on the LAN. The ZT network is setup to forward LAN subnet (10.0.0.x) via the main router so that I can seamlessly interact with remote hosts using their private IPs from my admin laptop wherever I am.
I've recently had reason to limit one of my VMs (let's call it 105) to only have WAN access, no LAN access. To do this, I turned on firewall at the Datacenter level, and added a security group that limits that VM as described.
I also created a security group that permits me access to each of the cluster's two nodes' Webui's (port 8006) using their private IPs (the nodes don't have ZT clients installed). This all works fine.
What I am struggling to do now, is permit access to another VM (lets call it 101) via its private 10.0.0.x address. Before the firewall this all worked fine that is:
My laptop requests 10.0.0.238:8123 -> ZT routing -> Remote router (ZT client installed) -> 10.0.0.238:8123
I can access the two nodes' webui via their local IPs (ie the ZT routing is working!), but not the VM inside one of those nodes.
I'm aware you need firewall enabled for DC, Node and VM ( as well as VM network device having firewall enabled).
It's not clear though, if the security group needs to be in all places eg:
DC firewall : enabled, security group "A" and rules defined
Node firewall: enabled, security group "A" enabled
VM firewall: enabled, security group "A" enabled, firewall enabled in network device
I've tried this and many permutations and it doesn't allow access.
my cluster.fw:
101.fw:
Does the node need a network interface defined? If so which is it? vmbr0? eno1?
I've recently had reason to limit one of my VMs (let's call it 105) to only have WAN access, no LAN access. To do this, I turned on firewall at the Datacenter level, and added a security group that limits that VM as described.
I also created a security group that permits me access to each of the cluster's two nodes' Webui's (port 8006) using their private IPs (the nodes don't have ZT clients installed). This all works fine.
What I am struggling to do now, is permit access to another VM (lets call it 101) via its private 10.0.0.x address. Before the firewall this all worked fine that is:
My laptop requests 10.0.0.238:8123 -> ZT routing -> Remote router (ZT client installed) -> 10.0.0.238:8123
I can access the two nodes' webui via their local IPs (ie the ZT routing is working!), but not the VM inside one of those nodes.
I'm aware you need firewall enabled for DC, Node and VM ( as well as VM network device having firewall enabled).
It's not clear though, if the security group needs to be in all places eg:
DC firewall : enabled, security group "A" and rules defined
Node firewall: enabled, security group "A" enabled
VM firewall: enabled, security group "A" enabled, firewall enabled in network device
I've tried this and many permutations and it doesn't allow access.
my cluster.fw:
Code:
[group admin]
IN ACCEPT -dest 10.0.0.250 -p tcp -dport 8006 -log nolog
IN ACCEPT -dest 10.0.0.253 -p tcp -dport 8006 -log nolog
IN ACCEPT -dest 10.0.0.238 -p tcp -dport 8123 -log debug
OUT ACCEPT -log nolog101.fw:
GROUP admin -i net0Does the node need a network interface defined? If so which is it? vmbr0? eno1?
Last edited: