I have a functional Metallb installation on a ks8 cluster, with public ips working from the public interface as expected.
On the other hand i have some 172.18.6.xx addresses given to internal services that would be useful to access over the L3 network. Ks8 is installed bound to interface wg0,
with nodes in 172.18.6.10-20, and some external IPs given to services on .150-200,
the master is connected to the LAN, which is on .220-230. The external ips are accessible from within the cluster:
curl 172.18.6.150 works
however, from the rest of the lan, say workstation 172.18.6.220, which is connected to the master via interface wg0, no response, however the traffic reaches the master, and is visible on tcpdump on the master:
14:33:28.133681 wg0 In IP 172.18.6.120.32984 > 172.18.6.150.http: Flags [S], seq 406428854, win 64860, options [mss 1380,sackOK,TS val 1873125555 ecr 0,nop,wscale 7], length 0
14:33:29.237091 wg0 In IP 172.18.6.150.42564 > 172.18.6.150.http: Flags [S], seq 90733823, win 64860, options [mss 1380,sackOK,TS val 1873126658 ecr 0,nop,wscale 7], length 0
Conntrack shows no reply sent
# conntrack -E | grep 172.18.6.150
[NEW] tcp 6 120 SYN_SENT src=172.18.6.122 dst=172.18.6.150 sport=48180 dport=80 [UNREPLIED] src=172.18.6.150 dst=PUBLIC_IP sport=80 dport=48180
How would i get a reply here? This is L2 mode. the interface wg0 is L3 (wireguard), does this pose a problem?
I saw a note to the effect "layer 2 mode relies on ARP and NDP, the client must be on the same subnet of the nodes announcing the service in order for MetalLB to work",
does this mean outside the cluster i have no luck with the L2 addresses over wireguard?