Flow rule exception? #124
Comments
|
Good question; I started working on an emulator for the network rules system but then got busy with other things... but to say the least I am not the in-house expert on it. Let me talk to someone at the "office" and get back to you.
cc @someara (if you have time)
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
…On Thursday, January 27th, 2022 at 5:12 PM, Alan ***@***.***> wrote:
What's a good flow rule to include at the top of our rules if we want DNS queries against zeronsd to always resolve for everyone in the ZT network?
I've tried two approaches and neither work for some reason.
Approach 1 - Allow UDP on port 53 destined for my zeronsd server:
accept
ztdest <zeronsd vl1 addr>
and dport 53
and ipprotocol udp
;
Approach 2 - From ZT docs, allow UDP server traffic:
tag udpserver
id 1001
default 0
flag 0 is_udp_server
;
# Accept UDP traffic if the value of the udpserver tag is
# 1 when both sender and receiver tags are ORed together,
# or if UDP traffic is multicast. This allows multicast mDNS
# and Netbios announcements and allows UDP traffic to and
# from UDP servers, but prohibits other horizontal UDP traffic.
accept
ipprotocol udp
and tor udpserver 1
or chr multicast
;
break ipprotocol udp;
I'm testing with:
$ dig +short @<ZERONSD-ZT-IP> machine.in.my.zt.domain
;; connection timed out; no servers could be reached
—
Reply to this email directly, [view it on GitHub](#124), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAAET27S62LEJ4OJGRRGA5LUYHUPVANCNFSM5M7PFPIA).
Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub).
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
I think the tag example is OK. Did you set the tag to 1 on the zeronsd node? I noticed recently that applying tags can take a long time... but if you leave and join, that makes it happen faster. The first approach will let dns requests go to zeronsd... but the replies won't be allowed back to the client 🙃 |
Oh right of course. I read the docs more closely and I think I understand the limitations here as well.
I did
Yeah I wish the clients could tell you when they get a rule refresh or something, it's very frustrating to think you have a rule working correctly but then it propagates 10m later and everything breaks.
Leave and join the network? From both sides, or just the node you're changing the tag value of? I tried de-auth and re-auth and it didn't seem to work, so maybe my rules actually are broken. I simplified the doc example a bit (I don't need multicast dns between arbitrary devices, just zeronsd support) but I can't get this to work. Here's my entire rule config: And my tags: Then I ran this on the Any idea? Thanks for all your help btw, and for working on an amazing product! |
|
Removing 🤔 I must be doing something really dumb here? |
|
Okay so like, is ARP needed for a DNS server to respond? This works: |
|
All these issues should be resolved by 0.5.0. Please download and confirm. I'm closing this ticket as I've validated several of the use cases already. |
|
@erikh, what issues exactly? Are you saying the ARP exception shouldn't have been required and I should test the new version without it? The rules in #124 (comment) work for me, before 0.5.0, so I think we can just leave this closed and say that #124 (comment) demonstrates how to create flow rule exceptions for zeronsd? |
|
I got the wrong ticket. :) |
|
arp is probably necessary 👍 |
|
In that case, I think we can either close this issue or, if you want, you can leave it open as a reminder that this is something worth documenting in the ZeroNS docs? I’ll leave it up to @erikh Thanks everyone! |
|
we're working on a blog post which covers this. I will link it here when I close this ticket. Should just be a few days. |
|
https://www.zerotier.com/2022/05/19/using-flow-rules-to-direct-users-to-services/ is the post. Closing this issue. |
What's a good flow rule to include at the top of our rules if we want DNS queries against zeronsd to always resolve for everyone in the ZT network?
I've tried two approaches and neither work for some reason.
Approach 1 - Allow UDP on port 53 destined for my zeronsd server:
Approach 2 - From ZT docs, allow UDP server traffic:
I'm testing with:
The text was updated successfully, but these errors were encountered: