There are some PCs in our switch network that manage some devices.
Now all PCs connected to the switch can manage the device.
it's unsafe. So we want to protect devices by ziti. Here are my thoughts:
Connect a small industrial computer with dual network ports and Ubuntu Server between the switch and the device. Prevent PC and device from communicating directly. Then install the ziti tunnel program on PC and Ubuntu Server, The data is forwarded to the device by the ziti program on the Ubuntu Server.
But we encountered a problem. If the IP configured on the PC and the device are not in the same subnet, then this solution is feasible and has been verified. We only need to configure the two cards ports of the ubuntu server to configure the IP of the corresponding subnet.
Here is my config and service
ziti edge create config device-intercept-config intercept.v1 '{"protocols": ["udp"], "addresses": ["192.168.150.10","192.168.150.11","192.168.150.12"], "portRanges": [{"low": 5000, "high": 5000}]}'
ziti edge create config device-host-config host.v1 '{"forwardAddress": "true", "allowedAddresses": ["192.168.3.150.10","192.168.3.150.11","192.168.3.150.12"] ,"forwardPort":"true", "allowedPortRanges":[{"low":5000,"high":5000}],"forwardProtocol": "true","allowedProtocols":["udp"]}'
ziti edge create service device-connect -c device-intercept-config,device-host-config
we need to bind the PC and Ubuntu Server to the service. Finally, the PC with the ziti program installed can directly access the 5000 port of 192.168.150.10.
However, in actual usage scenarios, we cannot modify the IP addresses of the PC and the device, they must all be in the same subnet.
We must configure the two network cards of Ubuntu Server with the same subnet IP.
However, network communication will conflict in this way.So I did some routing configuration.
Using the device on the far left as an example.
I use netplan to configure the network. Here is my config:
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
addresses: [192.168.2.30/24]
optional: yes
gateway4: 192.168.2.1
nameservers:
addresses: [192.168.2.1]
eth1:
dhcp4: no
addresses: [192.168.2.100/24]
optional: yes
After completing the configuration, the system generates two routes, the source of conflict.
Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
---|---|---|---|---|---|---|---|
192.168.2.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth0 |
192.168.2.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | eth1 |
So the system does not know which network card is used to access the same subnet.
Now I want to access 192.168.2.10 through the eth1 network card, and other accesses through the eth0 network card.
I manually configured two routing rules.
$ route del -net 192.168.2.0 netmask 255.255.255.0 dev eth1
$ route add -host 192.168.2.10 dev eth1
After completing the above process, my goal was achieved.the PC with the ziti program installed can directly access the 5000 port of 192.168.2.10.
Just when I thought the network transformation was complete, new problems arose.
When Ubuntu Server restarts or the network cable is plugged and unplugged, the previously configured routing policy is restored.The routing policies of the two network ports are the same as when the network was configured.Writing these two configuration scripts into /etc/rc.local has no effect.
So do you have any good solutions that can help me solve this problem, or how to use ziti to achieve my goals in this scenario?