Getting ziti-edge-tunnel working on RHEL 8

My NACL and Security Groups do allow 443, so I dont think thats a problem here.

Does ziti-router manage ufw rules on the router host? e.g. my SG rules allow 443, 80 from the world, there is no mention of 8081 in my SG rules, although I do see 8081 in my ufw rules which is the port I see being used by edge router for healthchecks.

Hi Everyone & @av-dev

I believe I understand your issue. The NetFoundry auto registration script will only auto open 443 inbound from the local subnet. If you wish to allow other subnets you would need to add additional firewall rules. Assuming you’d like to add the subnet 192.168.1.0/24, you can use a command like this:

sudo ufw allow from 192.168.1.0/24 to any port 443 proto tcp
1 Like

aaha! thanks a ton @emoscardini

I was blocked for a day for being “overly enthusiastic!” :slight_smile:

@emoscardini by any chance, does the logic to auto open 443 to local subnet only, driven by “listener” flag in console? When my colleague set up a second router with “listener” on, 443 on that router was open to the world.

Hi @av-dev

The “listener” function is for those whom intent to make the ER they launch publicly accessible.

When Disabled

  • Default - Will use the local IP assigned to interface and will only listen on port 443 for EDGE connections from local subnet.

When Enabled

  • Will use the external IP and will listen on 443 for EDGE connection from anywhere
  • Will use the external IP and will listen on port 80 / 6262 for FABRIC connections from anywhere.

You can read more about it here: https://support.netfoundry.io/hc/en-us/articles/360034337892-How-to-Register-the-Edge-Router-VM

Hope that helps!

1 Like