Rules question: Use tags and rules to a network behind a ZT router

Hello to all! I am a newbie at ZT and I couldn’t find the answer on the manual, wiki or posts.
That said, here’s an ASCII diagram of what I have:

ZT Net: 172.30.0.0/16
HOST Net: 192.168.0.0/16

And so on and so forth.
With the default ZT rules I can perfectly reach from a ZT node with IP: 172.30.100.20 to a host BEHIND the ZT Router with IP 192.168.0.1
The problem is that I want to LIMIT the ports that the ZT nodes can reach on the HOST network. Per de documentation and a friend advice, of course I can define TAGs and use them to define traffic between the ZT nodes. The problem is that my destination hosts are BEHIND a ZT node.
Is it possible to create rules that will apply to hosts BEHIND the ZT node that is working as router?
Here’s the rules I created that of course does not work.
I have defined POD with the TAG 300 but the destination host is BEHIND IT!
What would be the rules I need to create for this scenario?
Your help is really appreciated!
Regards,
David.

Rules start here:

tag class
  id 2                 # arbitrary, but must be unique
  enum 100 pods          # has no meaning to filter, but used in UI to offer a selection
  enum 200 student
  enum 300 teacher
  default student;

drop
	not ethertype ipv4
	and not ethertype arp
;

drop not ipprotocol tcp; # Cleanup rule to only allow TCP that I need.
accept dport 3389 and tseq class 200 and treq class 100; # RDP Student to PODs
accept dport 3389 and tseq class 300 and treq class 100; # RDP Teacher to PODs
accept dport 80 and tseq class 200 and treq class 100; # HTTP Student to PODs
accept dport 80 and tseq class 300 and treq class 100; # HTTP Teacher to PODs
accept dport 22 and tseq class 300 and treq class 100; # SSH Teacher to PODs
drop chr tcp_syn and not chr tcp_ack; # Cleanup TCP states.

`# Accept anything else. This is required since default is 'drop'.`
accept;

Hmm. Does it work without the and treq class 100's ?

You are right, it worked when I removed the treq section. I found out that in order to work, the ZT router must have the same tag as the students.
I actually did the following:
accept dport 22 and tseq class 200 and ipdest 192.168.0.0/16;
Now I have another question. What do I have to do to avoid the students to see between themselves. That is, all the students can reach the network 192.168.0.0/16 behind a ZT device working as a router but they cannot reach themselves.
How could I accomplish that?
Thanks again for the reply!
Regards,
David

nice!

Hmm, you could probably drop when both nodes are tagged as students. does drop tand class 200 do it?

OK. That makes sense but then which tag do I have to use in order for the ZT router is not blocked?
Here’s what I have configured:
tag class
id 2
enum 0 pod
enum 1 student
enum 2 instructor
default student;
accept ethertype arp;
accept ipprotocol 1;
drop not ipprotocol 6;
accept dport 8080 and tseq class 1 and ipdest 192.168.0.0/24;
accept dport 8080 and tseq class 2 and ipdest 192.168.0.0/24;
accept dport 3389 and tseq class 1 and ipdest 192.168.0.0/24;
accept dport 3389 and tseq class 2 and ipdest 192.168.0.0/24;
accept dport 22 and tseq class 2 and ipdest 192.168.0.0/24;
break ipdest 192.168.0.0/24; # I understand this rule blocks all traffic to that network unless allowed above
drop tand class 1;
accept;

Per your suggestion, I will have to move the ZT Router to a tag 2 in my example and add the line before the last as shown?
Thanks!
David.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.