I’m trying to come up with logic to limit connections using tags. I have 1 tag with 3 options, Robot, Operator, Server.
tag device_type
id 500
enum 100 operator
enum 200 robot
enum 300 server
default 100
I’m trying to come up with the logic to limit communication for like device types. (i.e. 2 operators can’t connect to each other, but an operators can connect to robots). I’ve tried dropping if tdiff of tag is 0, I’ve tried accepting with different tags and dropping everything else. No matter what I try, it drops all traffic unless I open it up. I’ve also trie this using completely separate tags for each type as well with the same result.
drop
tdiff device_type 0
;
What would the most effective method be to deal with this?
Would be the same. Servers wouldn’t connect to each other. But operators and robots can connect to servers. This one may be a bit more flexible, but the initial use would be limited in east-west connectivity within the server group.
Operators can’t connect to each other, but operators can connect to robots and servers
Robots can’t connect to each other, but robots can connect to operators and servers.
I tried that and it’s blocking all traffic between any device. I’ve pasted my entire config below.
# Set device type - Used for communication rules
tag device_type
id 500
enum 1 operator #001
enum 2 robot #010
enum 4 server #100
default 1
;
# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.
drop
not ethertype ipv4
and not ethertype arp
and not ethertype ipv6
;
# drop non-ZeroTier issued and managed IP addresses.
drop
not chr ipauth
;
accept
tdiff device_type 0
;
# Accept anything else. This is required since default is 'drop'.
#accept;