How to Add Egress

Purpose

How to Configure Egress Routes in a Netmaker Network

Introduction to Egress Networking

Egress networking is a powerful feature in Netmaker that enables secure remote access to entire local networks (LANs) through a single gateway device. This eliminates the need to install Netclient endpoints on every individual device at a remote location, such as printers, IP cameras, or legacy servers. Instead, one or more Netmaker nodes act as a router, forwarding traffic from the overlay network into the local site's infrastructure.

Core Concepts and Use Cases

By designating a node as an egress gateway, you can facilitate connectivity for various environments, including:

• Office Networks: Providing remote employees access to local file shares and internal resources.

• Edge and Retail Sites: Managing IoT devices or point-of-sale systems at distributed locations.

• Factories: Accessing industrial equipment on specialized subnets.

Prerequisites for Egress Setup

To begin setting up egress, you must first identify the nodes that will serve as the traffic gateways. These nodes must be physically located at the site and have reachability to the local network you wish to expose.

1. Navigate to the Netmaker dashboard and select the appropriate network from the Networks menu.

2. Click on the Nodes section in the left sidebar to manage your network endpoints.

1. Ensure the Devices tab is selected at the top of the dashboard to view the connected hardware.

2. Identify the target nodes (e.g., site-linux-1 and site-linux-2) and verify their STATUS is Online. Having multiple nodes allows for redundant routing if one gateway fails.

Configuring Egress Routes for Netclient Nodes

Egress gateways allow your Netmaker network to reach remote local networks—such as office LANs, retail sites, or factory floors—using a single installed device as a router. This eliminates the need to install Netmaker endpoints on every individual device at the remote site.

Initiating the Egress Route

To begin, identify the nodes that will act as the gateway. Ensure they are online and connected to your network. Navigate to the Netmaker dashboard and select the Egress section from the left-hand sidebar menu.

1. Click the blue + Add route button located in the top-right corner of the dashboard.

2. In the Name field, enter a descriptive label for the route, such as Remote Site Network.

3. Provide additional context in the Description field, for example, Edge Location.

Network and Routing Configuration

After naming the route, you must define the technical parameters for traffic forwarding and target addresses.

• Enable NAT: Ensure the Enable NAT for egress traffic toggle is switched to the ON position. This is the standard setting for most environments unless you have established custom NAT rules manually.

• Define Subnet: In the Egress field, enter the CIDR range of the local network you wish to reach (e.g., 192.168.57.0/24).

Assigning Nodes and Redundancy

Click Next to proceed to node assignment. Netmaker allows you to assign multiple nodes to a single egress route to ensure high availability.

1. From the Select node dropdown, choose your primary node (e.g., site-linux-1).

2. To implement redundancy, click the + Add node button.

3. Select a secondary node (e.g., site-linux-2) from the additional dropdown. If the primary node fails, the secondary node will automatically take over the routing tasks for that traffic.

Access Policies and Granular IoT Routes

After defining the target network and assigning gateway nodes, Netmaker allows you to refine who can actually use these routes through access control policies. This ensures that only authorized users or groups can reach the remote infrastructure.

Configuring Egress Access Policies

By default, access can be restricted to specific user groups. Within the Create new egress route wizard, navigate to the Egress access policies step. Toggle the Users Policy switch to the Enabled position. From the Source dropdown, you can select specific groups, such as the All Networks User Group, to grant broad access to all network members.

Once the policy is defined, clicking Finish will finalize the route. A notification confirming 'Egress Route Created' will appear, and the route will be active immediately.

Adding Granular Routes for IoT Devices

Egress routes are not limited to entire subnets; they can be configured for individual IP addresses to provide granular access to specific hardware, such as an IoT camera or a single server.

1. Click the + Add route button on the Egress dashboard.

2. Provide a descriptive name and description, such as 'IoT Device On Site' and 'Camera running on site'.

3. In the Egress field, instead of a CIDR range, enter the specific IP address of the device (e.g., 192.168.57.45).

4. 
5. Assign a gateway node (e.g., site-linux-1) to handle the traffic for this specific device.

6. Set a more restrictive access policy if necessary. For instance, you may choose to grant access only to an 'admin' user rather than a whole group.

After clicking Finish, the new granular route will appear in the Egress tab alongside your broader network routes, allowing for precise management of remote device access.

Configuring Egress via WireGuard Static Configs

For devices where the Netclient cannot be installed—such as hardware routers or specialized IoT appliances—Netmaker allows you to configure egress routing using static WireGuard configuration files. This method involves manually defining additional network addresses and routing scripts within the dashboard before deploying the configuration to the target device.

Accessing Configuration Files

To begin, navigate to the Nodes section from the left-hand sidebar. Unlike standard nodes, static configurations are managed under a separate view.

1. Select the Config files tab at the top of the Nodes dashboard.

2. Identify the configuration file for your target device (e.g., 'edge-server').

3. Click the three-dot menu icon on the right and select Edit to open the Update Config File modal.

Defining Egress Networks

Once inside the configuration editor, you must define which remote networks the device should provide access to. This is handled through the Advanced Settings menu.

In the Additional Addresses (Optional) field, enter the CIDR range of the local network you wish to expose (e.g., 10.45.0.0/16). These addresses will be automatically added to the AllowedIPs section of the generated WireGuard configuration.

Implementing Routing and Forwarding Scripts

Because static WireGuard nodes do not benefit from NetClient's automated routing management, you must manually define traffic forwarding rules using Post Up and Post Down scripts. These are typically implemented via iptables to enable NAT masquerading.

• Post Up: Enter the command to enable traffic forwarding when the interface starts. For example: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

• Post Down: Enter the command to remove the rule when the interface stops to keep the host routing table clean: iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

Note: Replace eth1 with the actual WAN or local interface of your device.

Saving and Verification

After finalizing the settings, click the Update Config File button. The dashboard will refresh to show the updated status.

Verify that the new CIDR ranges appear in the EGRESS column for that node. Because this is a static configuration, you must now click View/Download config to retrieve the updated .conf file and manually apply it to your device to finalize the routing path.

Deploying Updated Configs on Local Devices

When using static WireGuard configuration files instead of the NetClient, updates made within the Netmaker dashboard do not synchronize automatically. You must manually retrieve the updated configuration and apply it to your local edge server or router to activate new egress routes or routing rules.

Retrieving the Updated Configuration

To begin, navigate to the Config files tab in the Nodes section and click on the specific node name. In the Client Information window that appears, select View/Download config at the bottom of the screen.

Copy the generated WireGuard configuration text. It is critical to verify that the AllowedIPs, PostUp, and PostDown lines are included, as these contain the necessary CIDR ranges and NAT masquerading rules for your egress traffic.

Applying Changes via the Terminal

Once you have the new configuration, access the command-line interface of your gateway node. You must replace the existing configuration file and restart the interface for the changes to take effect.

1. Shut down the interface: Disable the current WireGuard connection by running wg-quick down [config_name].

2. Clean the network device: If necessary, ensure the device is fully removed by executing ip link delete dev [config_name].

3. Replace the configuration file: Remove the outdated file using rm /etc/wireguard/[config_name].conf.

4. Update the file: Create a new configuration file at the same path using a text editor like vim and paste the updated content into it.

Verifying Egress Parameters

Before finalizing, inspect the file within your text editor. Confirm that the AllowedIPs field under the [Peer] section includes the remote network CIDR ranges you defined in the dashboard. Additionally, ensure the PostUp and PostDown scripts correctly reference your local network interface (e.g., eth1) for iptables forwarding.

Creating New Static Configs

If you are deploying a new node rather than updating an existing one, you can use the + Add config file button in the Nodes view. During the setup wizard, navigate to the Egress (Optional) section to define external routes and traffic forwarding rules before the file is generated for download.