Flannel CNI on Hetzner Robot
1 min read

Flannel CNI on Hetzner Robot

The default firewall rules applied by Hetzner Robot (Hetzner's dedicated server service) do not play well with Flannel (the default CNI in k3s). This problem manifests itself as intermittent failure in connections from pods to hosts outside the cluster.

By default, the rule allowing TCP acks is limited to destination ports 32768-65535. Change the range to 0-65535 to use Flannel.

The linux kernel by default uses the range 32768 to 60999 (checkcat /proc/sys/net/ipv4/ip_local_port_range) for client TCP connections. However, iptables, when using the flag --random or --random-fully replaces the source TCP port when doing the SNAT with whatever unassigned port, but it doesn't have to be in that range. Flannel uses that flag to do SNAT.
- Manuel Buil