Zerotierone: Flow rules not working as expected
I'm having trouble getting the flow rules to work - I assume I'm doing something wrong, but even the simplest ruleset doesn't seem to be acting as I would expect.
I've not had any luck except with a completely unfiltered network, but for simplicity's sake, I'd like to start with something as simple as 'allow ICMP between nodes'.
With the simple flow rule example below, I can not ping between any devices on my network. If I change the drop to accept, then it works perfectly (so no local firewall issues preventing ICMP traffic), but I don't seem to be able to write any useful rules to filter the traffic between nodes.
To Reproduce
Steps to reproduce the behaviour:
- Create a network
- Apply the following flow rules:
```
accept ipprotocol icmp4;
drop;
```
- Attempt to ping each of the hosts from the other by their managed IP address
Expected behavior
The ICMP echo and reply traffic should succeed
Desktop (please complete the following information):
- OS: Windows 10
- ZeroTier Version 1.4.6
Am I doing something wrong there, or should the above basic ruleset allow pinging between ZT nodes? When the restrictive flow rules are not in place, all traffic flows correctly, as does just blindly adding an accept ztsrc (node_1); accept ztsrc (node_2);, but as soon as I attempt to add any kind of filtering in place, traffic no longer flows.
Samon33
All 2 comments
add accept ethertype arp;
I tested this and it seemed to solve it for me. Nodes need to be able to find each other!
6PLANE or RFC4193 addresses should work with icmp6 without arp.
laduke
on 17 Aug 2020
Thanks @laduke, that was it!
Samon33
on 18 Aug 2020
Related issues
gdamore
路
5Comments
mattgorski
路
4Comments
AlexisTM
路
4Comments
MaskRay
路
4Comments
unquietwiki
路
3Comments
Most helpful comment
add
accept ethertype arp;I tested this and it seemed to solve it for me. Nodes need to be able to find each other!
6PLANE or RFC4193 addresses should work with icmp6 without arp.