Isolation between clients AND nodes under a single network

So, I will need to paint the picture of our use case first. And note, we need to be able to do this under a single zerotier network.

We have about 100 locations, each with their own router and different subnet, that all route back to a central concentrator that handles our routing. Additionally, we have 1 separate dedicated location that is capable of reaching all 100 of these locations. But, these 100 locations are NOT able to reach one another (isolated, which is what we want). We also have a handful of users that are able reach all those locations, including the separate dedicated one.

For ZeroTier, how can I get all 100 of those locations on a single network yet not able to reach each other but CAN reach a separate dedicated location whilst also having 20 plus users under that same single ZeroTier network but make it so none of the users can reach one another?

In short, we need to make it do the following:
multiple users but users can’t reach other. Multiple locations but locations can’t reach each other. users can reach all locations. 1 dedicated location needs to be able to reach all locations and all users. All needs to be under a single ZeroTier network.

I read through the isolation documentation for zerotier but that will not work for this use case as it appears the 1 and only tag that it allows is the “server” tag. would honestly be nice if we could have a series of different tags maybe? It was tasked to me to find a solution on this and that the solution lies within the “Advanced Routing” of ZeroTier but figured Id reach out for assistance.

I’m parsing this as:

  1. I have at least 100 physically separate network segments.
  2. And I want to put them all on one big virtual switch.
  3. How do I write 100 vlan rules to make the switch behave like 100 separate networks?
  4. And how do I add even more conditional access rules that switches almost never implement?

The easy and instant solution is to create one logical ZeroTier network for each site, and configure SSO/OIDC for access consolidation at the management site and for each remote user.

I would guess that you’re running an outsourced support function, and that you want your support agents to access customer sites without understanding how the VPN works. You could use the ZeroTier Service API to script the connection and disconnection of each support agent.

Your user story could be:

  1. A support agent gets a support ticket. The issue description has a “connect to customer site” link.
  2. The support agent clicks the link, which runs a script that connects the support workstation to the customer site through ZeroTier.
  3. The ZeroTier session times-out according to an SSO rule so that the support workstation does not sprawl across 100 sites, and to better ensure customer privacy and operator containment.

Past that, you should explain why a single logical network is a constraint or is otherwise preferred.