-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blacklist no longer works as expected in 1.4.0 #1005
Comments
Hrmmm... Will have to take a look at this. Just to make sure, WAN and LAN ports are separate physical ports, correct? I took a cursory look at the blacklist code, and it doesn't appear that any of that has changed between 1.2.12 and 1.4.x. We'll have to dig deeper. |
Yeah, all physical ports, no VLANing going on. With the local LAN blocked, I get this:
When unblocked, I get the proper response (while still having tons of other blacklists listed, but don't contain the local LAN subnet)
So like I said, it even refuses to contact the central ZT service! Kinda crazy. |
WHOOPS, my bad. Didn't realize that the ISP was doing NAT where I had the test box, so its WAN address was also within the 192.168.0.0/16 subnet. My bad! I made them change their NAT subnets, and things are normal now. |
TLDR: adding the local LAN address to the blacklist will prevent the local WAN address from functioning either.
I have the following config on a pair of OPNsense routers (FreeBSD) running ZeroTier. One is older, running 1.2.x, the other is brand new running 1.4.0.
{ "physical": { "192.168.0.0/24": { "blacklist": true } } }
Old router
LAN: 192.168.10.0/24
WAN: 96.0.0.0/24 (public internet)
New router
LAN: 192.168.20.0/24
WAN: 69.0.0.0/24 (public internet)
Since both LAN subnets can route to each other via static routes, I had the 192.168.0.0/16 blacklisted to prevent route flapping on my 1.2.x routers: #779
Starting with 1.4.0, this setting no longer works. As long as this rule is in place, the 1.4.0 node will refuse to connect to ANYTHING, including the ZeroTier service or moons themselves. Blocking the local LAN address is essentially preventing the public WAN address from functioning at all.
I'm back the point where I have to manually blacklist every single other LAN on every single routing node again, meaning adding additional nodes once again requires re-configuring every other node in the network to be aware of every other node, defeating the centralized purpose of ZT.
The text was updated successfully, but these errors were encountered: