Unable to determine what FW to open

I encountered an unexpected error while attempting private/customer router registration. The error prevented the registration command from completing firewall setup.

ziggy@netfoundry-vm:~$ sudo router-registration --edge 192.168.1.249 SPQCMQUJEH
Starting Registration
Tunning Network parameters via sysctl
Checking communication with controller
Starting Ziti Router Setup
Downloading bundle
100% [........................................................................] 91665397 / 91665397

Configuring for Tunnel Mode
Setup DNS
Adding firewall rule to allow inbound 53 from local network
-Running command: ufw allow from 192.168.1.0/24 to any port 53 proto udp
Adding firewall rule to allow inbound 53 from local network
-Running command: ufw allow from 192.168.1.0/24 to any port 53 proto tcp
Adding firewall rule to allow inbound 8081 from local network
-Running command: ufw allow from 192.168.1.0/24 to any port 8081 proto tcp
 !! You have more then one interface, unable to determine what FW to open
 !! Please run the following command for which ever subnets you would
 !! like to allow inbound access.
 - command: sudo ufw allow from {{ network_address }} to any port 443 proto tcp
Installing Systemd Service
Ziti Router Setup Complete
Starting Salt Minion Setup
Applying Salt Minion State, this might take a minute...
Salt state was successful
Registration complete

Before registration, I followed these instructions to configure a static IPv4 with netplan: https://support.netfoundry.io/hc/en-us/articles/360016129312-Run-the-Edge-Router-VM-on-Your-Own-Equipment

This is a virtual machine with one interface, and for some reason it happens to also have a second interface address on enp1s0, presumably from DHCP. How to remove the second address and where it came from is another matter, but the registration command did not complete the firewall setup because it was present.

ziggy@netfoundry-vm:/opt/netfoundry/ziti/ziti-router$ ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:c3:06:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.249/24 brd 192.168.1.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet 192.168.1.177/24 brd 192.168.1.255 scope global secondary dynamic enp1s0
       valid_lft 6597sec preferred_lft 6597sec
    inet6 2600:1700:5eb2:e60:5054:ff:fec3:6c7/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3489sec preferred_lft 3489sec
    inet6 fe80::5054:ff:fec3:6c7/64 scope link 
       valid_lft forever preferred_lft forever
v: 3
identity:
  cert: certs/client.cert.pem
  server_cert: certs/server.cert.pem
  key: certs/client.key.pem
  ca: certs/intermediate-chain.pem
ctrl:
  endpoint: tls:17ba74fe-afff-4d4d-aa69-c915c4d3aecf.production.netfoundry.io:80
link:
  dialers:
  - binding: transport
healthChecks:
  ctrlPingCheck:
    interval: 30s
    timeout: 15s
    initialDelay: 15s
edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      ip:
      - 127.0.0.1
      - 192.168.1.249
listeners:
- binding: edge
  address: tls:0.0.0.0:443
  options:
    advertise: 192.168.1.249:443
- binding: proxy
  address: tcp:127.0.0.1:4505
  service: salt4505
- binding: proxy
  address: tcp:127.0.0.1:4506
  service: salt4506
- binding: tunnel
  options:
    resolver: udp://192.168.1.249:53
    lanIf: enp1s0
web:
- name: health-check
  bindPoints:
  - interface: 0.0.0.0:8081
    address: 0.0.0.0:8081
  apis:
  - binding: health-checks

I completed the firewall setup by running

sudo ufw allow from 192.168.1.0/24 to any port 443 proto tcp

Hi @qrkourier - We are checking this with our cloud engineers who have built the ER images. Please expect a response soon.

Here is my interface config.

network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:
      dhcp4: false
      addresses:
        - 192.168.1.249/24
      gateway4: 192.168.1.254
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8

I deviated from the posted Support intructions only by adding dhcp4: false which was an attempt to eliminate the secondary interface address from DHCP.

When the registration script detects more than a single IP, it doesn’t automatically add FW rules for the inbound Edge Router (port 443) & warns you as such. It’s intended that way, since more than likely you’ll want to open the Edge Listening port for multiple subnets & there’s no way to predict the local network architecture.

As far as why you have two IPs on the VM you built. I think the instructions you followed are flawed & need to be updated. It comes down to the fact that you still have two netplan files. The original & the new one, both are merged when netplan is applied. You’ll need to remove previous netplan in order to remove the double IP’s from being assigned.

I’ll coordinate to get those instructions updated & I believe there’s also a helper script to assist with assigning IP Addresses that will automatically do all of those steps, so look forward to the updates.

1 Like

@edwardm I confirmed the second address is removed by deleting /etc/netplan/50-cloud-init.yaml and sudo netplan apply.

@qrkourier I’m glad that worked!

I’ve updated those instructions & added the step to remove the previous file, for the short term. We’ll get those instructions updated with the helper script soon.

1 Like