I have created a Zerotier network, I have added all my organizations and a home computer there. I need access from my home PC to all Zerotier clients, but so that they cannot connect to each other or see each other, because because of this I have a traffic conflict with other software between offices.
This might be what you’re after:
Yes, but I didn’t understand a bit. I have 3 points from where I can enter the network, and there are 10 offices that should not see each other. But I have to see each of them from any of the 3 points.
Your first message seems fairly simple. Tags are the scalable way to achieve this, but I have been having some inconsistency with rules using tags that lead me to need to delete and re-add the rule. I’d probably keep tags to a lab environment for now. We can solve this with a simple IP based rule though. Let’s say your network looks like the following:
ZT Subnet: 10.100.100.0/24
Home PC: 10.100.100.10
You can have these rules to accomplish this:
# Ensure drop messages don't prevent the funcitoning of ARP
accept
ethertype arp
;
# Only allow traffic from the ZT Subnet to/from the Home PC
accept
ipsrc 10.100.100.1/32 and ipdest 10.100.100.0/24
or ipsrc 10.100.100.0/24 and ipdest 10.100.100.1/32
;
# Drop everything else between hosts within the ZT Subnet
drop
ipsrc 10.100.100.0/24 and ipdest 10.100.100.0/24
;
Your second message seems to indicate there may be added complexity in your setup. If you only need to block IP communication between hosts, then the above will solve that regardless of the number of sites in question. If this won’t work, then you may need to expand on your deployment so we can get a better picture of what you’re doing.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.