How to isolate networks from each other?
Often you want to have a separate network for each project/location. Staex establishes trust between neighbour nodes. This means that you can send a packet to any node reachable by child-parent links.
Staex offers packet forwarding feature to isolate different networks from each other.
When you setup forwarding rules they override this behaviour,
and allow to only forward packets to the selected networks.
The rules are configured in
/etc/mcc/forwarding-rules.conf
by default.
Setting up packet forwarding rules
In this how-to we will bridge four networks:
- network gateways — all nodes with public IP addresses through which we forward all the traffic,
- network project-a — all nodes related to project A,
- network project-b — all nodes related to project B,
- network laptops — your employees' laptops.
We want to only forward the traffic from every laptop to every project and vice versa, i.e. a node from project-a should not be able to reach a node from project-b. The following table shows between which networks the packets are forwarded. Please note that
- nodes can always send packets to their direct neighbours, and these packets are not subject to forwarding rules.
- By default we do not forward packets within the same network, i.e. IoT devices from project-a will not be able to access each other. This statement is true only if you specify at least one forwarding rule, otherwise all packets are forwarded.
| gateways | project-a | project-b | laptops | |
|---|---|---|---|---|
| gateways | ||||
| project-a | ✓ | |||
| project-b | ✓ | |||
| laptops | ✓ | ✓ |
To create forwarding rules we write them in a temporary file called rules.conf on each gateway
(here we use network names instead of public keys for readability).
bridge project-a-public-key laptops-public-key
bridge project-b-public-key laptops-public-key
Then we apply these rules using the mcc apply-forwarding-rules.
Setting up network certificates
In order to boot all the nodes in the aforementioned configuration
we need to establish trust between the neighbours.
To do that we add gateways network certificate to every node as trusted.
Then we add every other network certificate to every gateway node as trusted.
See network-certificates.