ZeroTier + Active Directory Authentication
-
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
I know this is a huge topic - one that I've even participated in. But how realistic is it that you'll want printer access while not onsite? At that point won't the local IP scheme solve the issue?
I suppose if the goal is to never worry about a local network, live purely in the ZT LAN, then this is worthwhile.
-
@Dashrender said:
I know this is a huge topic - one that I've even participated in. But how realistic is it that you'll want printer access while not onsite? At that point won't the local IP scheme solve the issue?
Right, in most cases, the ZT model does not get complex. Things that can't talk on ZT generally don't need ZT.
-
@scottalanmiller said:
@Dashrender said:
A concern is if the complexity is worth it considering my end goal.
In this case, it's hard to know which is more complex. Setting up a VPN solution that does what you need might be more complex to you than ZT. We have ZT running and it is super simple.
Are you using ZT in a Windows based network with AD, DNS etc? How's that working for you if you are? Though in a full on mesh network, I would expect it to work OK or even better than OK.
it's only the half installed situation that it becomes a problem with ZT IP's showing up in DNS for clients that aren't on the ZT network.
-
@Dashrender said:
Are you using ZT in a Windows based network with AD, DNS etc? How's that working for you if you are? Though in a full on mesh network, I would expect it to work OK or even better than OK.
No AD right now on ZT, although that is in the works. No Windows on it right now, just Linux. But in full mesh experience, no issues with AD at all.
-
@Dashrender said:
it's only the half installed situation that it becomes a problem with ZT IP's showing up in DNS for clients that aren't on the ZT network.
Right, the only scenario I would pretty much not entertain is this one. A partial deployment means all of the complexity of the SDN with all of the complexity of managing a VPN in the traditional way along with quite a few additional complications from the lack of intention in design. This introduces problems that neither full mesh nor hub and spoke face.
-
@scottalanmiller If you try AD feel free to update this thread and/or https://www.zerotier.com/community/topic/22/the-big-zerotier-active-directory-lan-virtualization-thread-retitled/2 -- would be helpful
-
LOL - the problem is - that thread is JB's. Where he's trying to deploy ZT but not to every endpoint.
-
Yeah, my tests would not be useful there. He already knows that it works in the modes that we would use it in.
-
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
Where is this bridge everyone keeps talking about?
-
@FATeknollogee said:
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
Where is this bridge everyone keeps talking about?
It's just software. install it on whatever you want to install it on.
-
@Dashrender You have a "how to" instruction set?
-
Would you say that the biggest difference between ZT and Pertino in terms of logistics is that Pertino routes traffic across its network, whereas ZT just performs the initial connection and the "clients" then communicate with each other until a loss of connectivity occurs?
Pertino does have smartzones that allows you to tell it when it should just route traffic locally/across the non pertino interface but I don't think it would be encrypted.
-
@FATeknollogee
I don't, but I think @BRRABill was working on it.https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux
This thread talks about it.
The gist is that you make a router out of a device that you can install ZT onto.
-
@FATeknollogee said:
@Dashrender You have a "how to" instruction set?
I think @dafyre created a script for it. I am pretty sure you can only install the bridge on a connector, which has to be a Linux box.
-
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
-
@wrx7m said:
@FATeknollogee said:
@Dashrender You have a "how to" instruction set?
I think @dafyre created a script for it. I am pretty sure you can only install the bridge on a connector, which has to be a Linux box.
Doh! you're right it was @dafyre
-
@Dashrender said:
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
Why does the gateway need to be aware of it?
-
@scottalanmiller He might mean that the ZT clients would need to know which gateway to use if it is a different gateway on the same network.
-
@scottalanmiller said:
@Dashrender said:
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
Why does the gateway need to be aware of it?
Well.. hmm.. OK I was going to say because that way it knows where to forward the packets to internal bridge/router...
But I just read the ZT forum post about the bridge, it's a bridge, not a router between two networks.. it's assumed (bridge) that all devices are on the same network, so there won't be any involvement of the default gateway.. so you can disregard my earlier comments.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
Why does the gateway need to be aware of it?
Well.. hmm.. OK I was going to say because that way it knows where to forward the packets to internal bridge/router...
But I just read the ZT forum post about the bridge, it's a bridge, not a router between two networks.. it's assumed (bridge) that all devices are on the same network, so there won't be any involvement of the default gateway.. so you can disregard my earlier comments.
That's what I was wondering about
A bridge is just like another switch port.
