# How to Add Egress {% embed url="" %} ### Purpose How to Configure Egress Routes in a Netmaker Network ### Introduction to Egress Networking Egress networking is a powerful feature in Netmaker that enables secure remote access to entire local networks (LANs) through a single gateway device. This eliminates the need to install Netclient endpoints on every individual device at a remote location, such as printers, IP cameras, or legacy servers. Instead, one or more Netmaker nodes act as a router, forwarding traffic from the overlay network into the local site's infrastructure.

#### Core Concepts and Use Cases By designating a node as an egress gateway, you can facilitate connectivity for various environments, including: * **Office Networks:** Providing remote employees access to local file shares and internal resources. * **Edge and Retail Sites:** Managing IoT devices or point-of-sale systems at distributed locations. * **Factories:** Accessing industrial equipment on specialized subnets. #### Prerequisites for Egress Setup To begin setting up egress, you must first identify the nodes that will serve as the traffic gateways. These nodes must be physically located at the site and have reachability to the local network you wish to expose. 1. Navigate to the Netmaker dashboard and select the appropriate network from the **Networks** menu. 2. Click on the **Nodes** section in the left sidebar to manage your network endpoints.

3. Ensure the **Devices** tab is selected at the top of the dashboard to view the connected hardware. 4. Identify the target nodes (e.g., **site-linux-1** and **site-linux-2**) and verify their **STATUS** is **Online**. Having multiple nodes allows for redundant routing if one gateway fails.

### Configuring Egress Routes for Netclient Nodes Egress gateways allow your Netmaker network to reach remote local networks—such as office LANs, retail sites, or factory floors—using a single installed device as a router. This eliminates the need to install Netmaker endpoints on every individual device at the remote site. #### Initiating the Egress Route To begin, identify the nodes that will act as the gateway. Ensure they are online and connected to your network. Navigate to the Netmaker dashboard and select the **Egress** section from the left-hand sidebar menu.

1. Click the blue **+ Add route** button located in the top-right corner of the dashboard. 2. In the **Name** field, enter a descriptive label for the route, such as `Remote Site Network`. 3. Provide additional context in the **Description** field, for example, `Edge Location`.

#### Network and Routing Configuration After naming the route, you must define the technical parameters for traffic forwarding and target addresses. * **Enable NAT:** Ensure the **Enable NAT for egress traffic** toggle is switched to the **ON** position. This is the standard setting for most environments unless you have established custom NAT rules manually. * **Define Subnet:** In the **Egress** field, enter the CIDR range of the local network you wish to reach (e.g., `192.168.57.0/24`).

#### Assigning Nodes and Redundancy Click **Next** to proceed to node assignment. Netmaker allows you to assign multiple nodes to a single egress route to ensure high availability. 1. From the **Select node** dropdown, choose your primary node (e.g., `site-linux-1`). 2. To implement redundancy, click the **+ Add node** button. 3. Select a secondary node (e.g., `site-linux-2`) from the additional dropdown. If the primary node fails, the secondary node will automatically take over the routing tasks for that traffic.

### Access Policies and Granular IoT Routes After defining the target network and assigning gateway nodes, Netmaker allows you to refine who can actually use these routes through access control policies. This ensures that only authorized users or groups can reach the remote infrastructure. #### Configuring Egress Access Policies By default, access can be restricted to specific user groups. Within the **Create new egress route** wizard, navigate to the **Egress access policies** step. Toggle the **Users Policy** switch to the **Enabled** position. From the **Source** dropdown, you can select specific groups, such as the **All Networks User Group**, to grant broad access to all network members.

Once the policy is defined, clicking **Finish** will finalize the route. A notification confirming 'Egress Route Created' will appear, and the route will be active immediately. #### Adding Granular Routes for IoT Devices Egress routes are not limited to entire subnets; they can be configured for individual IP addresses to provide granular access to specific hardware, such as an IoT camera or a single server. 1. Click the **+ Add route** button on the Egress dashboard. 2. Provide a descriptive name and description, such as **'IoT Device On Site'** and **'Camera running on site'**. 3. In the **Egress** field, instead of a CIDR range, enter the specific IP address of the device (e.g., `192.168.57.45`). 4. ```

``` 5. Assign a gateway node (e.g., **site-linux-1**) to handle the traffic for this specific device. 6. Set a more restrictive access policy if necessary. For instance, you may choose to grant access only to an **'admin'** user rather than a whole group. After clicking **Finish**, the new granular route will appear in the **Egress** tab alongside your broader network routes, allowing for precise management of remote device access.

### Configuring Egress via WireGuard Static Configs For devices where the Netclient cannot be installed—such as hardware routers or specialized IoT appliances—Netmaker allows you to configure egress routing using static WireGuard configuration files. This method involves manually defining additional network addresses and routing scripts within the dashboard before deploying the configuration to the target device. #### Accessing Configuration Files To begin, navigate to the **Nodes** section from the left-hand sidebar. Unlike standard nodes, static configurations are managed under a separate view.

1. Select the **Config files** tab at the top of the Nodes dashboard. 2. Identify the configuration file for your target device (e.g., **'edge-server'**). 3. Click the three-dot menu icon on the right and select **Edit** to open the **Update Config File** modal. #### Defining Egress Networks Once inside the configuration editor, you must define which remote networks the device should provide access to. This is handled through the **Advanced Settings** menu.

In the **Additional Addresses (Optional)** field, enter the CIDR range of the local network you wish to expose (e.g., `10.45.0.0/16`). These addresses will be automatically added to the `AllowedIPs` section of the generated WireGuard configuration. #### Implementing Routing and Forwarding Scripts Because static WireGuard nodes do not benefit from NetClient's automated routing management, you must manually define traffic forwarding rules using **Post Up** and **Post Down** scripts. These are typically implemented via `iptables` to enable NAT masquerading.

* **Post Up:** Enter the command to enable traffic forwarding when the interface starts. For example:\ `iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE` * **Post Down:** Enter the command to remove the rule when the interface stops to keep the host routing table clean:\ `iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE` *Note: Replace `eth1` with the actual WAN or local interface of your device.* #### Saving and Verification After finalizing the settings, click the **Update Config File** button. The dashboard will refresh to show the updated status.

Verify that the new CIDR ranges appear in the **EGRESS** column for that node. Because this is a static configuration, you must now click **View/Download config** to retrieve the updated `.conf` file and manually apply it to your device to finalize the routing path. ### Deploying Updated Configs on Local Devices When using static WireGuard configuration files instead of the NetClient, updates made within the Netmaker dashboard do not synchronize automatically. You must manually retrieve the updated configuration and apply it to your local edge server or router to activate new egress routes or routing rules. #### Retrieving the Updated Configuration To begin, navigate to the **Config files** tab in the Nodes section and click on the specific node name. In the **Client Information** window that appears, select **View/Download config** at the bottom of the screen.

Copy the generated WireGuard configuration text. It is critical to verify that the `AllowedIPs`, `PostUp`, and `PostDown` lines are included, as these contain the necessary CIDR ranges and NAT masquerading rules for your egress traffic.

#### Applying Changes via the Terminal Once you have the new configuration, access the command-line interface of your gateway node. You must replace the existing configuration file and restart the interface for the changes to take effect. 1. **Shut down the interface:** Disable the current WireGuard connection by running `wg-quick down [config_name]`. 2. **Clean the network device:** If necessary, ensure the device is fully removed by executing `ip link delete dev [config_name]`. 3. **Replace the configuration file:** Remove the outdated file using `rm /etc/wireguard/[config_name].conf`. 4. **Update the file:** Create a new configuration file at the same path using a text editor like **vim** and paste the updated content into it.

#### Verifying Egress Parameters Before finalizing, inspect the file within your text editor. Confirm that the `AllowedIPs` field under the `[Peer]` section includes the remote network CIDR ranges you defined in the dashboard. Additionally, ensure the `PostUp` and `PostDown` scripts correctly reference your local network interface (e.g., `eth1`) for iptables forwarding.

#### Creating New Static Configs If you are deploying a new node rather than updating an existing one, you can use the **+ Add config file** button in the Nodes view. During the setup wizard, navigate to the **Egress (Optional)** section to define external routes and traffic forwarding rules before the file is generated for download.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.netmaker.io/getting-started/walkthrough/how-to-add-egress.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.