2 ZT networks; How 1 device can talk to another on different ZT networks?

goode · October 8, 2022, 8:09pm

Greetings all!

I have 2 devices that I would like to be able to talk to each other. However, the devices are on 2 different ZT networks. Can anybody point me in the right direction?

FWIW, the destination can be solely one device IP instead of the whole ZT network, if possible.

zt-grant · October 10, 2022, 3:26pm

In order for 2 machines to talk to each other over ZeroTier, they both must be joined to the same ZeroTier network. You can join multiple networks at once on anything except for iOS and Android.

goode · October 12, 2022, 3:23am

Greetings!

I appreciate your energy and activity on the boards. Thank you for responding. Ironically, lol, I found you replying to another thread that was relevant AFTER I made my post (Connect between 2 ZT networks)

I then started to think about just putting on the same network and use rules since I’ve seen some references, however I couldn’t lock it down as I wanted.

I only want device X to communicate with device Y on a certain port. Still trying to figure it out without breaking my network. I either locked it down completely where other devices could not communicate with device Y (on the certain port that device X only can communicate with, I forgot to test if any other port).

zt-travis · October 13, 2022, 6:41pm

Hello,
The rules can be tricky. Use a second network to experiment on.

Is it a tcp or udp connection you are trying to limit? Since the rules are stateless, you need to explicitly allow for return traffic too. Sometimes this is difficult depending on the protocol.

goode · October 13, 2022, 7:01pm

Greetings @zt-travis thanks for your reply.

That’s the knowledge base I’ve been referencing but still trying to get it right.

The ultimate goal is to really just have device X be able:

Communicate only with device Y and only on a particular port.
Device X have no other access to computers on network
All other devices on ZT can still communicate with other devices, especially device Y

zt-travis · October 13, 2022, 7:38pm

Maybe add something like:

drop ztsrc nodeX and not ztdest nodeY and not dport N and not ethertype arp;

if the default for the rest of the network is accept

Then nodeX won’t be able to send anything except Port N and arp*. Traffic to nodeX is allowed by the default accept.

If we block arp, X won’t be able to find Y at all.

I haven’t tested and it’s quite possible I’m missing something.

system · November 12, 2022, 7:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

goode · January 19, 2023, 6:36pm

@zt-travis

Okay so it does work, however I’m able to access the whole machine instead of desired port only.

Thanks for everything again!!!

goode · March 25, 2023, 2:49pm

Still unable to fully get this working, any help?