Forward all Destination Ports over Public-Router

Hey guys,

at first i want to say a big "THANK YOU" for this great product. I love it.

Since i'm new with Ziti, is there a way to intercept all requests to a specific destination port and route it over the public router to the intercepted address?

At the moment i have for each customer/firewall own services, which is working - but it is much easier to intercept always the same port und forward through the public router.

My Host Config is this:

My Intercept Config is this:

Hi @fre4ki, welcome to the community and to OpenZiti! You're WELCOME!! We always appreciate it when people are enjoying the project and product!

If I understand you, you want to have one service that ALL your tunnelers can use, correct? That way you can provision "n" idenities, but only have 1 intercept config, 1 host config and 1 service to offload data, right?

On review, I'm not sure I understand exactly the situation. Can you maybe show a diagram?

Hi @TheLumberjack,

i want to use the public-router as traffic-forwarder but want not to build for every customer a own service - because we are using always the same destination ports for our services (firewall management from outside). The traffic terminates in the public router and will then be forwarded to the destination (directly).

I drawed a quickly a picture, which hopes makes sense:

If you have questions, please feel free.

I think one thing that might be throwing us off is the use of '*' as an intercept address. Is this intended to mean "all hostnames" that one might use when connecting to port 1234? Or is your intent to intercept all IPs?

The '*' notation in the intercept address field is typically used to specify a wildcard domain, but wildcard domains must include the domain part - e.g. "*.somedomain" would allow the service to intercept connections to "host1.somedomain:1234", "host2.somedomain:1234" and so on. There's no way that I know of to intercept connections to all hostnames.

Are you trying to catch connections to all hostnames? Or can you narrow it down to more specific subdomains? You can also specify CIDR ranges in the intercept address field if you're interesting in catching connections to IPs.

Is this intended to mean "all hostnames" that one might use when connecting to port 1234?

Correct. It should intercept all addresses and forward through the public-router to the requested destination.

There are no specific subdomains i can use, because there are sometimes IPs and sometimes Hostnames.

Maybe i can use ? ist intercepting all, no matter it is the requested destination port or not :confused:

Yes, the tunneler intercepts connections by setting up routes in the host’s routing table to direct packets of interest to a run device that the tunneler is reading from. Unfortunately we cant reject or forward the packets that don’t apply to openziti services.