How to use ziti to protect my device

There are some PCs in our switch network that manage some devices.

Now all PCs connected to the switch can manage the device.

it's unsafe. So we want to protect devices by ziti. Here are my thoughts:

Connect a small industrial computer with dual network ports and Ubuntu Server between the switch and the device. Prevent PC and device from communicating directly. Then install the ziti tunnel program on PC and Ubuntu Server, The data is forwarded to the device by the ziti program on the Ubuntu Server.

But we encountered a problem. If the IP configured on the PC and the device are not in the same subnet, then this solution is feasible and has been verified. We only need to configure the two cards ports of the ubuntu server to configure the IP of the corresponding subnet.

Here is my config and service

ziti edge create config device-intercept-config intercept.v1 '{"protocols": ["udp"], "addresses": ["","",""], "portRanges": [{"low": 5000, "high": 5000}]}'
ziti edge create config device-host-config host.v1 '{"forwardAddress": "true", "allowedAddresses": ["","",""] ,"forwardPort":"true", "allowedPortRanges":[{"low":5000,"high":5000}],"forwardProtocol": "true","allowedProtocols":["udp"]}'
ziti edge create service device-connect  -c device-intercept-config,device-host-config

we need to bind the PC and Ubuntu Server to the service. Finally, the PC with the ziti program installed can directly access the 5000 port of

However, in actual usage scenarios, we cannot modify the IP addresses of the PC and the device, they must all be in the same subnet.

We must configure the two network cards of Ubuntu Server with the same subnet IP.

However, network communication will conflict in this way.So I did some routing configuration.

Using the device on the far left as an example.
I use netplan to configure the network. Here is my config:

        version: 2
        renderer: networkd
                        dhcp4: no
                        addresses: []
                        optional: yes
                                addresses: []
                        dhcp4: no
                        addresses: []
                        optional: yes

After completing the configuration, the system generates two routes, the source of conflict.

Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 0 eth0 U 0 0 0 eth1

So the system does not know which network card is used to access the same subnet.
Now I want to access through the eth1 network card, and other accesses through the eth0 network card.
I manually configured two routing rules.

$ route del -net netmask dev eth1
$ route add -host dev eth1

After completing the above process, my goal was achieved.the PC with the ziti program installed can directly access the 5000 port of

Just when I thought the network transformation was complete, new problems arose.

When Ubuntu Server restarts or the network cable is plugged and unplugged, the previously configured routing policy is restored.The routing policies of the two network ports are the same as when the network was configured.Writing these two configuration scripts into /etc/rc.local has no effect.

So do you have any good solutions that can help me solve this problem, or how to use ziti to achieve my goals in this scenario?

Hi @cctomato, welcome to the community and to OpenZiti!

Sorry about the post. It got flagged by Discourse because you "typed it suspiciously fast".... LOL! I can tell you put thought into it though, so I'll go review and get back to you in a bit.