Blacklist no longer works as expected in 1.4.0

[darkain]

TLDR: adding the local LAN address to the blacklist will prevent the local WAN address from functioning either.

I have the following config on a pair of OPNsense routers (FreeBSD) running ZeroTier. One is older, running 1.2.x, the other is brand new running 1.4.0.

{ "physical": { "192.168.0.0/24": { "blacklist": true } } }

Old router
LAN: 192.168.10.0/24
WAN: 96.0.0.0/24 (public internet)

New router
LAN: 192.168.20.0/24
WAN: 69.0.0.0/24 (public internet)

Since both LAN subnets can route to each other via static routes, I had the 192.168.0.0/16 blacklisted to prevent route flapping on my 1.2.x routers: #779

Starting with 1.4.0, this setting no longer works. As long as this rule is in place, the 1.4.0 node will refuse to connect to ANYTHING, including the ZeroTier service or moons themselves. Blocking the local LAN address is essentially preventing the public WAN address from functioning at all.

I'm back the point where I have to manually blacklist every single other LAN on every single routing node again, meaning adding additional nodes once again requires re-configuring every other node in the network to be aware of every other node, defeating the centralized purpose of ZT.

[glimberg]

Hrmmm... Will have to take a look at this. Just to make sure, WAN and LAN ports are separate physical ports, correct?

I took a cursory look at the blacklist code, and it doesn't appear that any of that has changed between 1.2.12 and 1.4.x. We'll have to dig deeper.

[darkain]

Yeah, all physical ports, no VLANing going on.

With the local LAN blocked, I get this:

root@OPNsense:~ # zerotier-cli listpeers
200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 1efc64ad72 - -1 - LEAF
200 listpeers 3a46f1bf30 - -1 - PLANET
200 listpeers 57843a932a - -1 1.2.12 LEAF
200 listpeers 8841408a2e - -1 - PLANET
200 listpeers 9d219039f3 - -1 - PLANET
200 listpeers d5139672da - -1 1.2.12 LEAF
200 listpeers e4da7455b2 - -1 1.4.1 LEAF

When unblocked, I get the proper response (while still having tons of other blacklists listed, but don't contain the local LAN subnet)

root@OPNsense:~ # zerotier-cli listpeers
200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 1efc64ad72 - -1 - LEAF
200 listpeers 23be93af33 67.x.x.x/9993;503;596 -1 1.2.12 LEAF
200 listpeers 3a46f1bf30 - -1 - PLANET
200 listpeers 57843a932a 96.y.y.y/9993;503;605 16 1.2.12 LEAF
200 listpeers 8841408a2e 45.32.198.130/9993;503;565 62 1.1.5 PLANET
200 listpeers 9d219039f3 - -1 - PLANET
200 listpeers d5139672da 67.x.x.y/9993;503;616 10 1.2.12 LEAF
200 listpeers e4da7455b2 35.236.60.108/52203;504;589 -1 1.4.1 LEAF

So like I said, it even refuses to contact the central ZT service! Kinda crazy.

[darkain]

WHOOPS, my bad. Didn't realize that the ISP was doing NAT where I had the test box, so its WAN address was also within the 192.168.0.0/16 subnet. My bad! I made them change their NAT subnets, and things are normal now.