I made an External Connector node thinking I'd be able to ssh and run scripts against nodes in my CML lab from my host machine.
I could ping the nodes, but couldn't ssh. I used a packet capture on the link between the External Connector and my lab's switch, and I didn't see any ssh traffic.
tcpdump on the CML server confirmed the bridge interfaces are seeing the ssh traffic, but not sending it into the lab. I checked the iptables rules and saw two rules (IN_public and FWDI_public) only allowing icmp traffic. Once I allowed tcp on the FWDI_public rule, I could ssh to all nodes in my lab.
This is the command for anyone who wants to do this: sudo iptables -A FWDI_public -p tcp -j ACCEPT
You can verify the rules with: sudo iptables -S FWDI_public
I'm curious why this isn't the default or at least the user guide doesn't mention this. It makes it seem the External Connector gives you a plain L2 connection into the lab. While this is technically true, nothing mentions that CML's firewall will block everything except ICMP.