TFT ZeroOS - Enterprise Firewall without UPNP

zerosubnet · August 18, 2021, 11:09am

Im not sure about what ports are required and i cant find any documentation anywhere on what ports are required. I’m guessing this solution uses some kind of UPNP. Does anyone know what ports are required or if there exists some kind of network diagram for the solution? Would be super if it included the 3bot as well.

scott · August 20, 2021, 4:07pm

Just making a note that we’ve been covering this over on another thread: How to set-up your own 3Node

scott · August 24, 2021, 1:40pm

Aaaand, bringing the convo back here

@zerosubnet asks:

I have look at the source code and the Network large scale deployment wiki and it looks like all the 3nodes require a public IP or on small scale home networks it uses UPNP.

Are you sure there’s no documentation on the packet flow? Is wireguard a requirement for the node to come up? because wireguard uses UDP NAT holepunching.

delandtj · August 24, 2021, 2:00pm

Huh…
nono, we don’t UPnP at all.
3Nodes do not require a public IPv4 and don’t punch holes (although that would be in the works)
the way it behaves, is when it’s a fully hidden node , i.e. no IPv6, only RFC1918 private networks, it:

uses the planetary network (tcp) to create an overlay through the NAT gateway
finds a node with a public IP to relay the private networks for containers and vms

Either way, a node will be a lot happier in terms of performance if there is some IPv6 available.

zerosubnet · August 24, 2021, 2:59pm

Hi,

Okey. But the overlay network is wireguard, right? Because i need to receive the frames on my node on the same port as the outgoing port. Wireguard does not support random source port as the port is part of the algo. I can ofc keep the original source tcp port when the packet egresses the network, but that would make me allocate a ton of tcp sorce ports in the firewall for that specific IP.

So if this is the case that it uses Wireguard to build the overlay network.
Is there an option to hardcode the port that wireguard uses in ZOS?

If i had a ton of IP’s i could ofc 1:1NAT the traffic but thats a no go as i dont have alot of spare ipv4

delandtj · August 25, 2021, 8:17am

please DM me on Telegram (@delandtj)

zerosubnet · August 25, 2021, 8:36am

Don’t have telegram, discord?

delandtj · August 25, 2021, 8:40am

don’t even know what that is

zerosubnet · August 25, 2021, 8:47am

its what most people use i guess. I got Teams, Discord, Keybase.

zerosubnet · September 1, 2021, 12:19pm

So, does it use wireguard or nahh?

scott · September 6, 2021, 3:24pm

Nodes communicate with each other over both Wireguard and Yggdrasil. Wireguard is a strict requirement, as it’s used to create the private overlay networks which host all workloads. There really aren’t any options to set in Zos, beyond the farmer id and some kernel parameters.