Rules engine: tag "teq" does not work as intended

I have two kinds of devices in my zerotier network, one is server and the other is client.
I want to make sure that clients can’t talk with other clients.
So this is what I did in rules engine:

drop
    not ethertype ipv4
    and not ethertype arp
;

tag membership
    id 100
    enum 110 server
    enum 120 client
    default client
;

drop
    teq membership 120
;

accept;

Above rules should only prohibit comms between clients right?
But with “drop teq membership 120;” line, none of my devices can talk to anyone.

Zerotier should drop packets only when both sender and receiver have membership tag of 120 (client)

What is happening?

Hmm. Not sure about teq. That seems to make sense. If you remove that initial drop not ethertype… statement, does anything change?

Here’s a different way to do the same thing
https://zerotier.atlassian.net/wiki/spaces/SD/pages/222330881/Client+Isolation

The exact same issue happened to me right now.
It makes sense but doesn’t work.

Henlo
I’ve found my problem
Make sure to enable broadcast and check nodes can propagate arp to each other

Could you please elaborate? I’m new to the rules engine.
Is it something I set in ZeroTier?

Hey, @spiritcore. I’ll test in bit, but try adding accept ethertype arp; at the top of your rules.

Is it already included in this rule?

drop
	not ethertype ipv4
	and not ethertype arp
	and not ethertype ipv6
;

Not quite. That drops non-arp, but it doesn’t accept it.

In my quick tests, adding accept ethertype arp; to the top makes it work more reliably.

accept ethertype arp;

tag membership
    id 100
    enum 110 server
    enum 120 client
    default client
;

drop
    teq membership 120
;

accept;

I’m not sure why at this point.