Answers about NAT #2931
Replies: 1 comment 1 reply
-
|
I have done what you suggested as far as running the so-firewall commands to allow the public IP through of the sensor (several times, all with fresh installs) however you can still see the sensor trying to connect to the manager on is private IP through port 443. With the sensor outside of our firewall, then that obviously wont work. I have also attempted to edit the sensoroni.json file, as it has the url of the private ip address....but whenever I restart the program it gets written back to the the private IP. I am assuming salt somewhere is checking that file and ensuring it stays the same...just havent found where to edit that yet. |
Beta Was this translation helpful? Give feedback.
-
|
I updated the original message. The manager does not work with it being behind a NAT. You can only have sensors behind a NAT. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I have seen several threads regarding NAT and I wanted to clarify how connectivity works in 2.X. When a sensor sends data to the manager, it uses strict SSL authentication. We do this to maintain integrity for both sides of the connection. A client has to have its own signed cert from the manager and the manager must pass the muster on its certificate for the client to trust that it is sending its precious data to the appropriate location. When you put your manager behind a NAT, the IP address does not match that of the certificate and fails. This breaks a lot of the communication from the sensor to the manager. The sensors can technically reside behind a NAT today but you have to do some manual intervention. The manager CANNOT be behind a NAT.
When the setup is adding a new sensor to the grid it uses SSH to execute a command to open up the firewall for the new grid member. The only IP the sensor knows is its local address. It has no idea it is behind a NAT and therefore cannot send that IP. This requires you to add the NAT IP to the manager firewall BEFORE you run setup on the sensor. To do so you would do the following:
Those steps should allow you to add a sensor behind a NAT to the manager as it stands today. Starting in 2.3.30, setup will no longer prevent you from using a VPN connection to connect to a VPN endpoint to access your manager. #2930 will support OpenVPN and wireguard as methods to connect to the manager. You will still need to select the actual management interface during the setup process as the tunnel interface will not be visible. The VPN must be set up BEFORE you run setup. The user is responsible for setting up the VPN as setup does not get involved in this process.
Hopefully this clears up some of the confusion around connectivity.
Beta Was this translation helpful? Give feedback.
All reactions