Ping a container from calico host

I currently have two virtual machines running Calico. I run calico/node with calicoctl node run, and configure them so they peer with each other.

# Node 1
calicoctl node run --ip 192.168.1.16 --name nomad1 --as 64566
# Node 2
calicoctl node run --ip 192.168.1.17 --name nomad2 --as 64567

# ... configure them to peer with each other

# calicoctl node status in node 1
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+----------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+--------------+-------------------+-------+----------+-------------+
| 192.168.1.17 | node-to-node mesh | up    | 13:54:09 | Established |
+--------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

From node status in node 1 and 2, they are both have BGP peering established. I then created a new IP pool with outgoing NAT enabled and IP-IP encapsulation set to cross network only. So far each nodes can ping external IP addresses (I guess thanks to the outgoing NAT), and can ping each other. However, for containers that were started in node nomad1, they cannot be pinged from nomad2 host, but can be pinged from containers inside nomad2. How can I make it so that all container IP addresses are accessible through each Calico node? Do I need to peer my physical router with iBGP to be able to do this?

As a side note, I use Calico with Nomad instead of Kubernetes. It seems to be working with CNI. I don’t know if it’s completely supported though. But my goal is to add a load balancer outside in each Nomad node (which has Calico) so containers can be load balanced through haproxy.

Thank you in advance.

Turns out I can get it working after adding a GlobalNetworkPolicy that allows all traffic ingress or egress. Seems that the network policy by default block all traffic from outside.

Seems that the network policy by default block all traffic from outside.

Yes, I think this is correct for any env that isn’t k8s. The intent is to “fail safe” by blocking everything unless instructed otherwise