New install help - ziti edge router is not available

Hello!

I went through the basic linux deployment guide and installed the controller and console on one linux server, and the router on another.
external firewall has 1280 forwarded to the controller and 3022 forwarded to the router.

Router shows up as connected in the admin console.
Added 2 Desktop Edge Clients and setup a couple services (RDP and HTTPS)
(One remote, one on the same subnet as the router and controller)

Both are showing errors in the log saying they can't connect to the router.
(but they do show they are connected, and show 2 services are available)

Guessing I missed a step somewhere, any tips on where to start looking?

1 Like

Hi @justin-lo, welcome to the community and to OpenZiti! (and zrok and BrowZer),

I am 90% certain the "advertised" address from the router is likely incorrect. All OpenZiti components need to be able to address at least one controller and one edge-enabled router. Easily the most common mistake is for the router's advertised address to be wrong in this situation.

Open your router's config file and find the "edge" binding and find the "advertised" address. Here's an example of one of my routers:

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442

The 'advertise' address there must be addressable by your clients. I suspect it's incorrect.

Cheers

Thanks, mine seems to be right,
DNS resolves the advertise hostname and the port is open for both machines.

"No edge routers are assigned and online to handle the requested connection"
Do I need to assign the router to this service?
I don't see either machine actually trying to connect to the advertise fqdn of the router at all.

Ah. Ok. The "production" install doesn't currently generate the policies needed to authorize identities and routers. That's no problem, it's really easy... I'd recommend you run the following:

Add service policies

# Allow all identities to use any edge router with the "public" attribute
ziti edge create edge-router-policy all-endpoints-public-routers --edge-router-roles "#public" --identity-roles "#all"

# Allow all edge-routers to access all services
ziti edge create service-edge-router-policy all-routers-all-services --edge-router-roles "#all" --service-roles "#all"
1 Like

There's also a GitHub issue for discussing this pain point (default router policies): default router policies unless init --no-router-policies · Issue #1522 · openziti/ziti · GitHub

1 Like

Thanks!
Ran your command and added #pulbic to my router and I'm up and running!