ZeroTier: is this a good time to use...
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I was talking a bit more generically for my DHCP server on my LAN - if a laptop stays off beyond my 8 lease, that IP will be assigned to something else.
What's the use case for doing that, though?
What do you mean? This is the default way windows DHCP works. After the IP lease expires, it simply goes back into the pool.
The question is... why would you be using it in a ZT scenario? Why have DHCP for ZT addresses at all? What's the end goal?
Yeah I don't, never said I did.
-
@scottalanmiller said:
@Dashrender said:
@dafyre said:
@scottalanmiller said:
@Dashrender said:
I was talking a bit more generically for my DHCP server on my LAN - if a laptop stays off beyond my 8 lease, that IP will be assigned to something else.
What's the use case for doing that, though?
He's talking about generic DHCP on a LAN.
Correct - I am talking about my LAN. I'm not assigning IPs to the ZT network adapters.
Oh, I guess I missed something then.
I was giving @dafyre an example of when IP's change - my LAN based DHCP will give out the same IP to another device after a leas expires.
What we don't know - does the ZT DHCP follow normal protocols and hand out an IP after a lease expires? or does it assign it for life?
-
@Dashrender said:
What we don't know - does the ZT DHCP follow normal protocols and hand out an IP after a lease expires? or does it assign it for life?
There is no ZT DHCP. That's where the confusion came from. ZT does not use DHCP, so there is no connection to DHCP-like behaviour. Pertino does not either.
-
-
@anonymous said:
What? Then how do addresses get assigned?
Via the client. Remember that the client talks to the server. No need for something like DHCP.
-
@scottalanmiller said:
@anonymous said:
What? Then how do addresses get assigned?
Via the client. Remember that the client talks to the server. No need for something like DHCP.
Scott is correct here. If you check a Windows system with ZT installed, and look at the ipv4 properties of the adapter, you will see that by default the IP address & DNS boxes are set to "static" but they are blank.
-
Cool - OK then you can effectively say that the IP assigned on the ZT will never change
-
In terms of the gateway feature, is it Linux connector + bridged mode?
-
@wrx7m said:
In terms of the gateway feature, is it Linux connector + bridged mode?
That is supposed to be the way it works, but I haven't been able to get it to work like that.
If I want it as a "gateway", I just set it up as a router, and add static routes on the physical routers on each site.
-
@dafyre said:
@wrx7m said:
In terms of the gateway feature, is it Linux connector + bridged mode?
That is supposed to be the way it works, but I haven't been able to get it to work like that.
If I want it as a "gateway", I just set it up as a router, and add static routes on the physical routers on each site.
that doesn't allow for ethernet level access - definitely not the same thing at all.
-
@Dashrender said:
@dafyre said:
@wrx7m said:
In terms of the gateway feature, is it Linux connector + bridged mode?
That is supposed to be the way it works, but I haven't been able to get it to work like that.
If I want it as a "gateway", I just set it up as a router, and add static routes on the physical routers on each site.
that doesn't allow for ethernet level access - definitely not the same thing at all.
Sadly, you are very much correct.
-
That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.
-
@scottalanmiller said:
That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.
That's what I thought, but @dafyre is saying he's been unable to get it to work.
-
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
-
@Dashrender said:
@scottalanmiller said:
That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.
That's what I thought, but @dafyre is saying he's been unable to get it to work.
I have not been able to get it to work. I got a post out on their community, but haven't heard anything back yet, lol.
-
@Jason said:
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
Are you saying access via ZT is not a good idea?
-
@FATeknollogee said:
@Jason said:
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
Are you saying access via ZT is not a good idea?
Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.
-
@scottalanmiller said:
@FATeknollogee said:
@Jason said:
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
Are you saying access via ZT is not a good idea?
Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.
The whole trusted network issue. LAN vs LAN-less
As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.
Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.
-
@Dashrender said:
@scottalanmiller said:
@FATeknollogee said:
@Jason said:
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
Are you saying access via ZT is not a good idea?
Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.
The whole trusted network issue. LAN vs LAN-less
As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.
Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.
I think that it is beyond time that we stop trusting machines on our local lan. Even my home network has the service discovery disabled, and each machine has its firewall turned on for that very reason.
-
@dafyre said:
@Dashrender said:
@scottalanmiller said:
@FATeknollogee said:
@Jason said:
@FATeknollogee said:
Type 3: Users (are contractors), they connect via VPN from overseas
Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.
Are you saying access via ZT is not a good idea?
Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.
The whole trusted network issue. LAN vs LAN-less
As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.
Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.
I think that it is beyond time that we stop trusting machines on our local lan. Even my home network has the service discovery disabled, and each machine has its firewall turned on for that very reason.
I go back and forth on using the home networking features that Windows has these days.
