[Bug]: NETMAKER-ACL-IN nftables chain blocks all traffic in Community Edition

[bobrock]

Description

Netclient creates restrictive nftables rules in the NETMAKER-ACL-IN chain that block all traffic except DNS (port 53), even when no ACL deny rules are configured. This prevents nodes from communicating over the mesh network.

Environment

• Netmaker Server: Self-hosted (netmaker.bobrock.net)
• Netclient Version: v1.2.0
• Edition: Community Edition

Node 1 (Raspberry Pi)

• OS: Debian 13 (trixie), aarch64
• Firewall: nftables
• Mesh IP: 10.10.19.2

Node 2 (macOS)

• OS: macOS 26.1
• Mesh IP: 10.10.19.1

Problem

After netclient pull, the following nftables rules are created on the Linux node:

chain NETMAKER-ACL-IN {
iifname "netmaker" @nh,72,8 0x11 th dport 53 accept # Only DNS UDP
iifname "netmaker" th dport 0 accept # Port 0 (nothing)
iifname "netmaker" counter packets 3 bytes 252 drop # DROP everything else
}

Symptoms

1. WireGuard handshake completes successfully (wg show shows peer with recent handshake)
2. Bidirectional traffic at WireGuard layer (bytes sent/received)
3. But ping and SSH over mesh IPs fail (ICMP dropped by nftables)
4. counter packets X bytes Y drop shows traffic being blocked

Steps to Reproduce

1. Install netmaker server (Community Edition)
2. Create network with default settings
3. Join two nodes using enrollment keys
4. Run netclient pull on both nodes
5. Try to ping between nodes using mesh IPs
6. Check nftables: sudo nft list chain inet filter NETMAKER-ACL-IN

Workaround

Manually flushing the ACL chain restores connectivity:

sudo nft flush chain inet filter NETMAKER-ACL-IN
sudo nft add rule inet filter NETMAKER-ACL-IN accept

However, this is reset after every netclient pull or service restart.

Expected Behavior

With no explicit ACL deny rules configured, nodes should be able to communicate freely (default full mesh behavior as documented).

Related Issues

- #3020 - Default node-level ACL Rule not working
- #2383 - Egress node doesn't pass traffic

Questions

1. Is there a way to disable ACL firewall management in Community Edition?
2. Is this related to the "New ACLs (Pro)" feature being partially enforced in CE?
3. Is there a firewallinuse setting to disable nftables rule creation?

---

## Discord Message (Shorter Version)

Join: https://discord.com/invite/zRb9Vfhk8A

Hey! Running into an issue with netclient v1.2.0 on Community Edition.

Problem: Nodes can't ping each other despite successful WireGuard handshake.

Cause: The NETMAKER-ACL-IN nftables chain blocks all traffic except DNS:
- iifname "netmaker" th dport 53 accept (only DNS)
- iifname "netmaker" counter drop (everything else dropped)

Setup:
- Self-hosted Netmaker server
- 2 nodes: Raspberry Pi (Debian 13) + macOS
- Both show "connected" and WireGuard handshake works
- But ICMP/TCP gets dropped by nftables ACL rules

Workaround: sudo nft flush chain inet filter NETMAKER-ACL-IN && sudo nft add rule inet filter NETMAKER-ACL-IN accept - but this resets after every pull.

Is there a way to disable ACL firewall enforcement in CE? Or set the network default to ALLOW? The dashboard doesn't seem to have ACL options in Community Edition.

Related to #3020?

[Mejdii]

Hi @bobrock!
Thanks for reporting the ACL issue with Netclient v1.2.0. I tried to reproduce it on a fresh Community Edition network with a pure nftables Linux nodes, and in my setup, the NETMAKER-ACL-IN chain ends with an accept rule instead of drop, so ping and other mesh traffic are working normally.

To help us investigate further, could you share:

1. A screenshot or output of sudo nft list chain inet filter NETMAKER-ACL-IN on your node
2. A screenshot of the ACLs on NMUI for your network
3. The mesh IPs of the nodes you tried to ping

This will let us compare environments and figure out why the ACL default-deny is showing up on your setup