This message was deleted.

I would start with this doc https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements

That seems more like configurations in rancher-nodes. This is for nodes in a cluster that is administered by Rancher. That cluster is separated from rancher cluster.

you still need to open appropriate firewall ports for downstream clusters - rancher is not going to modify firewall ports

Maybe you are right, I don't get everything you are writing. But just to clarify. I have my rancher cluster and I have another cluster. Maybe that is called downstream cluster. It is made of 3 nodes, 2 nodes have ufw disabled and 1 has ufw enabled. If my cluster agent is running on the pod with ufw enabled it says: ERROR: https://[my hostname].internal/ping is not accessible (Could not resolve host: [my hostname].internal) If I disable ufw on that node it starts working. I have found some posts that experience the same problem and they are talking about: dnsPolicy: ClusterFirst Which seems to be what the cluster agent is using. If I change that to Default it starts working. But I dont want to change default settings for the cluster agent. I would like to know how to configure the ufw on nodes in my downstream cluster to allow traffic to my rancher cluster even with ClusterFirst as dnsPolicy.

I have my rancher cluster and I have another cluster. Maybe that is called downstream cluster.

If this "another cluster" was created from Rancher UI, then yes that is downstream cluster