New install help - ziti edge router is not available

justin-lo · August 19, 2024, 3:49am

Hello!

I went through the basic linux deployment guide and installed the controller and console on one linux server, and the router on another.
external firewall has 1280 forwarded to the controller and 3022 forwarded to the router.

Router shows up as connected in the admin console.
Added 2 Desktop Edge Clients and setup a couple services (RDP and HTTPS)
(One remote, one on the same subnet as the router and controller)

Both are showing errors in the log saying they can't connect to the router.
(but they do show they are connected, and show 2 services are available)

Guessing I missed a step somewhere, any tips on where to start looking?

TheLumberjack · August 19, 2024, 12:41pm

Hi @justin-lo, welcome to the community and to OpenZiti! (and zrok and BrowZer),

I am 90% certain the "advertised" address from the router is likely incorrect. All OpenZiti components need to be able to address at least one controller and one edge-enabled router. Easily the most common mistake is for the router's advertised address to be wrong in this situation.

Open your router's config file and find the "edge" binding and find the "advertised" address. Here's an example of one of my routers:

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442

The 'advertise' address there must be addressable by your clients. I suspect it's incorrect.

Cheers

justin-lo · August 19, 2024, 2:34pm

Thanks, mine seems to be right,
DNS resolves the advertise hostname and the port is open for both machines.

"No edge routers are assigned and online to handle the requested connection"
Do I need to assign the router to this service?
I don't see either machine actually trying to connect to the advertise fqdn of the router at all.

TheLumberjack · August 19, 2024, 2:36pm

Ah. Ok. The "production" install doesn't currently generate the policies needed to authorize identities and routers. That's no problem, it's really easy... I'd recommend you run the following:

Add service policies

# Allow all identities to use any edge router with the "public" attribute
ziti edge create edge-router-policy all-endpoints-public-routers --edge-router-roles "#public" --identity-roles "#all"

# Allow all edge-routers to access all services
ziti edge create service-edge-router-policy all-routers-all-services --edge-router-roles "#all" --service-roles "#all"

qrkourier · August 19, 2024, 2:39pm

There's also a GitHub issue for discussing this pain point (default router policies): default router policies unless init --no-router-policies · Issue #1522 · openziti/ziti · GitHub

justin-lo · August 19, 2024, 3:04pm

Thanks!
Ran your command and added #pulbic to my router and I'm up and running!

Topic		Replies	Views
Installing an edge router on a different compute Ziti Overlay	1	226	June 12, 2022
Setup new edge router on a separate host Ziti Overlay	11	633	January 17, 2023
Howto Install Router Support	18	335	May 15, 2024
Ziti fabric list links not showing other connections Ziti Overlay	9	28	October 3, 2024
Can I connect my Ubuntu AWS instance and have it communicate with my host Windows Machine? General Questions	4	77	April 16, 2024

New install help - ziti edge router is not available

Add service policies

Related topics