Propagation problems

lionelb · March 20, 2023, 5:12pm

Hello,

I have the impression, and it is confirmed by a colleague in another company, that there are propagation problems when you change rules or routing on subnets…

The changes made in My Zerotier are not taken into account or very long after.

This makes it very difficult to evaluate the new rules.

Is there a way to know if a rule has been propagated, or to force this propagation?

I am in France, can it come from a ZT rooot server? How to know which root server we depend on?

Thanks / lionel

zt-travis · March 20, 2023, 6:38pm

Hello,
for subnets you can check zerotier-cli listnetworks -j

Unfortunately there’s no way to list the rules from the client.
Are you using tags or capabilties? I’ve seen those get kind of “stuck”.
Please put a accept ethertype arp; at the top of your rule set. At least during testing.
Leaving and re-joining the network can also help speed things up.

lionelb · March 20, 2023, 8:44pm

Merci pour la réponse.

accept ethertype arp;

is at the top…

But nothing explains these slowdowns which did not exist a year ago…

Another question, in the doc there is for example :
drop dport 137,138,139;
Which seems to work,

On the other hand if I put :
accept tseq department 316 and ipdest 192.168.210.0/24 and dport 22,3389;
The ports are not taken into account…

My goal is to restrict access for ZT clients to non-ZT hosts on the LAN. If I don’t make these rules everything is accessible

Translated with DeepL

zt-travis · March 21, 2023, 3:15pm

Hello,
One thing, I don’t think using commas for dport ports is supported. The parser should fail, but it doesn’t. Sorry about that.

You can see in the json, it doesn’t really do what’s expected:

 drop dport 137,138,139;

→

 {
   "type": "MATCH_IP_DEST_PORT_RANGE",
   "not": false,
   "or": false,
   "start": 137,
   "end": 137
  },

Instead, you can use a range drop dport 137-139;
or multiple rules drop dport 137 or dport 234;

hope that helps

lionelb · March 21, 2023, 4:29pm

Hi,

I’m writing an article on the use of dna rules in mixed context with ZT clients and site-to-site, my conclusion is that the documentation and rules should evolve, for the moment I’m struggling to find examples to rely on.

I will put this article here, I count on you to validate that I did not write too much nonsense!

lionel

system · April 20, 2023, 4:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.