Need help for specific requirements of my network

OpethiaN · October 28, 2021, 9:34pm

Hello there, I’m looking for some information because I’ve been trying to setup my network for 2 days and the main part doesn’t work right now. You’ll see an attachment with a representation of what I’m trying to achieve

First of all, i use AWS for all my instances and everything reside under the 10.0.0.0/16 VPC. In my public subnet 10.0.0.0/24 i have 2 Linux instances, 1 running an internal VPN to access all my subnets and the other one will act as a ZeroTier gateway that will only have access to 1 subnet.

I’ve setup my account in the ZeroTier website and the ZT gateway joined the network I’ve set the routes with the 172.30.0.0/16 (LAN) and 10.0.0.0/16 via 10.0.0.10 which is the AWS internal IP of the ZT GW instance (that gateway also has a public IP) and the VPC also has a route for 172.30.0.0/16 which get out of the network by the ZT GW instance network interface

I can connect all the ZT clients to ZT without problems. When i SSH the ZT gateway and ping the 172.30.0.1 (the assigned IP in the ZT UI) it answers without problems. I can also ping all the clients which are 172.30.0.100 and .101 in my test setup.

If i go in the internal VPN instance in the same subnet, i can ping 172.30.0.1 but not the 100 and 100 ones. Right now the ZT Gateway has the ipv4 forward enabled in sysctl and the instance security group is accepting all protocols and ports for all subnets and also added 172.30.0.0/16 in the rule. It’s quite opened right now in the AWS LAN but that will be fixed when everything is setup. Also i did check CloudWatch for any rejections of the ZT Gateway which doesn’t occur.

You have any ideas of something i might have missed.

My next step will be making sure the internal VPN clients are able to reach the ZT clients and also that each ZT clients are not able to see each others with the exception of the ZT GW that need to see them all. Also that my ZT clients are able to reach 3 instances in a specific subnet.

If you have any hints that would be greatly appreciated because I’m really scratching my head right now.

Thanks a lot.
PS. Please don’t judge my English, that’s not my main language

ztnetwork

zt-travis · October 29, 2021, 5:06pm

Hello,
thanks for writing this up.

For your managed route, I think you want 10.0.0.0/16 via 172.30.0.1

Make sure ip_forwarding is enabled on the “routers”

Keeping client 1 and 2 from talking to each other can be done with the rules engine, but save that step for last. https://zerotier.atlassian.net/wiki/spaces/SD/pages/222330881/Client+Isolation

OpethiaN · November 1, 2021, 2:48pm

Thanks a lot for you answer, i’ll try that out and let you know.

OpethiaN · November 1, 2021, 3:45pm

Worked A1, thanks a lot for the information.

system · December 1, 2021, 3:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.