Whitelisting interfaces or service bidding

cyrus · July 9, 2023, 4:08pm

Hello,

With the no so basic scenarios (anything with more than one interface), it’s not practical to use blacklists to exclude interfaces. When adding new interfaces unrelated to ZT, you have to reconfigure the ZT client to exclude it.

My usecase include OPNsense firewalls connecting over Zerotier and doing all the routing. I would like to be able to explicitly designate interfaces that ZT should use instead of bidding on all of them (*:9993).

Out of 9 interfaces, I would make sense to tell ZT “use if01 and if02” instead of “don’t use if03 or if04 or if05 or if06 or if07 or if08 or if09”. The scenario, most likely, when you add if10 it won’t be used for ZT traffic.

It could be seen as a “whitelist”, or simply as “interfaces for service binding” as you can see with any TCP/IP service (web servers, databases, etc).

zt-travis · July 10, 2023, 4:17pm

Hello,
Thanks for writing.

For now:

You might be able to whitelist using the multipath modes. (you don’t need multiple paths to use them)

Or do it by address instead of interface in local.conf

Or use a FIB or something like that in opnsense.

cyrus · September 11, 2023, 5:28pm

Thanks for the feedback, would something like this suffice as local.conf?:

{
  "settings": {
    "defaultBondingPolicy": "rapid-active-backup",
    "policies": {
      "rapid-active-backup": {
        "basePolicy": "active-backup",
        "failoverInterval": 1000,
        "links":
        {
          "vtnet0":
          {
            "ipvPref": 46
          },
        }
      }
    }
  }
}