Tag access control?

We are setting up ZeroTier network rules to control communication between devices based on user roles and device types. Specifically, we want to achieve the following:

1. SSAdmin Role: Users with the SSAdmin role (userrole 400) should have unrestricted access to all devices within the network.
2. SuperAdmin Role: Users with the SuperAdmin role (userrole 300) should also have full access to all systems.
3. Ventilation Role: Users with the Ventilation role (userrole 200) should be able to communicate only with devices classified as ventilationdev (devicetype 100).
4. Device-to-Device Communication: Devices that share the same devicetype should be able to communicate with each other. For example, all devices with devicetype 100 (ventilationdev) should be able to communicate freely with each other.
   The current rule configuration is causing communication to fail when both userrole and devicetype tags are set, even though they are supposed to match according to the rules. While simple device-to-device communication based on devicetype works, adding a userrole seems to break the expected behavior.

This should work…

# Define a tag for device types (devicetype)
tag devicetype
  id 3
  enum 100 ventilationdev  # Ventilation System
  enum 101 accountingdev   # Accounting System
  enum 102 integradev      # Integra System
  enum 103 maintenancedev  # Maintenance Device
  default 0;

# Define a tag for user roles (userrole)
tag userrole
  id 2
  enum 200 ventilation     # User with access to Ventilation Systems
  enum 201 accounting      # User with access to Accounting Systems
  enum 202 integra         # User with access to Integra Systems
  enum 203 maintenance     # Maintenance user with access to Ventilation and Integra
  enum 300 superadmin      # SuperAdmin with full access to all systems
  enum 400 ssadmin         # SSAdmin with full access to everything
  default 0;

# SSAdmin has full access to everything
accept teq userrole 400;

# SuperAdmin has access to all systems
accept teq userrole 300;

# Allow 'ventilation' userrole to communicate with 'ventilationdev' devices
accept tor userrole 200 teq devicetype 100;

# Allow 'ventilationdev' devices to communicate with other 'ventilationdev' devices
accept teq devicetype 100;

# Drop all non-IP-based traffic
drop
  not ethertype ipv4
  and not ethertype arp
  and not ethertype ipv6
;

# Allow all other traffic (for testing purposes)
accept;

I hope someone can help me in the right direction

Hello,
put
accept ethertype arp; at the top of your rules. At least while you’re developing.

Without it, when nodes decide they can’t talk to each other because of rules, it takes them a long time to check again and it makes debugging very confusing.
This might just solve the issue.

For the superadmins, I’d make a separate super admin tag. and then do something like

accept not tor superadmin 0;

for the userrole part and devicetype part, hmm… I’m not sure there’s a good way to compare different tags. Let us think…

Is all the traffic between device TCP? There are some other tricks if so, but if some of the traffic is UDP, you can’t use them.

I think the meets the requirements. Sorry it’s so different from your original. It could be used as a base/example for your full setup.

accept ethertype arp;

tag dev
  id 1
  flag 0 ventilation
  flag 1 accounting
  flag 2 integra
  flag 3 maintenance
  enum 7 all
  default 0
;

tag is_superuser
  id 2
  flag 0 yes
  default 0;

tag is_user 
  id 3
  flag 0 yes
  default 0;


accept not tor is_superuser 0;

# don't let two users talk to each other 
drop not tand is_user 0;

# if any of the device types for two nodes are the same, accept
# tag your users with is_user and with whatever device types 
# if both nodes are is_user, they would have been blocked above
accept not tand dev 0;


drop; 

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.