thanks - I have of course referred to the manual now, before asking questions, thanks for the reference. However ipauth is not mentioned.
Always happy to read docs.
So, one reference in the manual (of the three mentions) describes it:
ipauth : sender IP is assigned by ZeroTier to the sending node. So it is a characteristic - but absent from the novice guide.
EDIT and for my reference later it says in the first mention:
This creates a network that can pass IPv4 (and ARP) and IPv6 traffic but no other Ethernet frame types. In addition the
not chr ipauth condition drops traffic between IP addresses that have not been assigned by ZeroTier to their respective sources or destinations, blocking all IP spoofing. These are enforced with a hard
drop , preventing them from being overridden by any capability.
Which was the very first “rule” I was trying to create, lock them in to ZT only and keep them out of my own LAN - Correct? Even when they are connected to my NAS via ZT and my NAS is also connected to my 10.0.0.x LAN ?
Lovely, thanks. I hope this is right!
p.s. that is one long read, I’m printing it which is very rare. ( Capability Based Security for Virtual Networks) I may be some time…