.svg){kind=icon}
Mastering ACLs in Netmaker
When you first spin up a network in Netmaker every node can reach every other node. That “full mesh” is great for a lab, but it is too trusting for production. A single mis-configured service can expose the whole overlay. That is where Access Control Lists (ACLs) step in. The ACL engine lets you decide - at packet speed - who may talk to whom, without touching raw WireGuard configs. In this guide you will learn how the pieces fit together and how to move from an open mesh to a network that shares only what it must.
The core idea: allow what you need, deny the rest
The ACL screen in the dashboard shows every pair of peers as a switch you can flip. Behind the UI, Netmaker writes new peer sections into each node’s WireGuard interface, then distributes them over MQTT, so changes reach the edge in seconds. Because ACLs apply on every host, they work even when routes change or relays hide the real endpoint.
Two policy types, one goal
If you use Netmaker Pro you also get the new ACL engine. It adds user policies (what a person can touch) and resource policies (what a device can reach) . Think of user policies as badges at the door and resource policies as locks between rooms. The split lets you grant a DevOps engineer SSH to a database without opening the database to every VM in the subnet.
Default rules that save you from yourself
Every fresh network ships with four default rules - All Nodes, All Users, All Remote Access Gateways and Network Admin - so the mesh is usable before you start hardening it. Delete or disable those rules the moment you are ready to shape traffic.
On top of network-wide defaults, each node carries its own node-level default. Set a sensitive server to “deny” and it will ignore unsolicited peers even if the network default is “allow”. Flip the logic for a jump-box: mark it “allow” in an otherwise locked-down network and every laptop can route through it.
A first rule in practice
Suppose you have created a network in the setup wizard and installed netclient on two VMs. You want the app server to reach the database, but nothing else to talk to the database. In the ACL tab pick the app server as source and the database as destination, click Enable, and save. Netmaker pushes an update; seconds later the app works, a ping from anywhere else times out.
Prefer the command line? nmctl acl allow mynet app-id db-id does the same thing. The CLI is handy for CI pipelines or when the UI is behind a jump host.
Taming scale with tags
Manually listing every node pair gets old fast. Tags fix that. With tag management you label nodes “prod”, “dev”, or “web-tier” during enrollment, then write a single rule that says “prod ↔ db” and never touch it again . Tags travel with the node, so a container rebuilt by your orchestrator inherits its old privileges the moment it rejoins the mesh.
Gateways, relays and ACLs
Mesh networking is rarely flat. A host behind carrier-grade NAT may need a relay server; road warriors will pass through an internet gateway. ACLs sit above all that plumbing. Whether traffic is direct, relayed or full-tunnelled, the kernel still checks the peer list generated by the ACL engine before a byte crosses the interface.
Observe and iterate
Good policies start simple and tighten over time. Netmaker Pro gives you traffic analytics so you can watch which peers actually exchange data. Drop an unused rule and confirm that bytes stop flowing; if an alert fires, re-enable with one click.
Automate everything
Policies live in the server database, so you can script them. The REST API exposes every ACL endpoint. Check your rules into Git, lint them in CI, then call the API from your deploy job. For local experiments, the nmctl binary is enough.
Bring people on board safely
Before you invite colleagues, review user roles and the grant-access guide. Give admins the keys to the ACL page; give regular users a Remote Access Gateway that is already fenced off. If you need extra isolation, create a second network as shown in the network setup overview and keep production apart from staging.
Next steps
- Try the full-mesh tutorial to see ACLs in a multi-site scenario.
- Browse the complete features list to learn what else you can layer on top.
- Pull the Netmaker source or the netclient source if you want to audit the code that writes your rules.
- When you are ready for production support, start a free trial.
ACLs do not add complexity; they remove uncertainty. Start with one rule, watch the effect, and keep going until every packet has a purpose.
‍
.svg)