HiI am trying to create a ZT flow rules so that nodes with the “Intranet” tag can initiate communication with both “Intranet” nodes and “Extranet” tag nodes. “Extranet” nodes cannot initiate communication but can respond to any communication initiated by an “Intranet” node. Lastly, all other types of traffic that do not match the specified rules will be blocked.
This is the rules flow I have created, which allows me to assign tags to different nodes (intranet / extranet).
The issue I have encountered is that nodes with the intranet tag are able to communicate successfully with each other but are unable to connect to a node with the extranet.
Does anyone have any idea what I’m doing wrong and how to solve the problem?
Thank you very much
# Assign tags to nodes tag intranet id 10 enum 10 Intranet; tag extranet id 20 enum 20 Extranet; # Allow communication within the Intranet tag accept and tdiff intranet 0; # Allow communication from Intranet to any node, including Extranet accept and tseq intranet 10; # Allow communication from Intranet to Extranet accept and tseq intranet 10 and treq extranet 20; # Allow communication from Extranet to Intranet if initiated by Intranet accept and tseq extranet 20 and treq intranet 10 and tdiff intranet 0; # Drop communication from Extranet to Intranet drop and tseq extranet 20 and treq intranet 10; # Drop all other traffic drop;
I have also tried without the tdiff
# Define tags for nodes tag intranet id 10 enum 10 Intranet; tag extranet id 20 enum 20 Extranet; # Allow all communication initiated from nodes with the "Intranet" tag accept and teq intranet 10; # Allow responses from nodes with the "Extranet" tag to nodes with the "Intranet" tag accept chr tcp_ack # This rule applies to TCP ACK packets (responses) and teq extranet 20 and teq intranet 10; # Drop all other traffic drop;