How to isolate networks from each other?

Often you want to have a separate network for each project/location. Staex establishes trust between neighbour nodes. This means that you can send a packet to any node reachable by child-parent links.

Staex offers packet forwarding feature to isolate different networks from each other. When you setup forwarding rules they override this behaviour, and allow to only forward packets to the selected networks. The rules are configured in /etc/mcc/forwarding-rules.conf by default.

Setting up packet forwarding rules

In this how-to we will bridge four networks:

Network isolation

We want to only forward the traffic from every laptop to every project and vice versa, i.e. a node from project-a should not be able to reach a node from project-b. The following table shows between which networks the packets are forwarded. Please note that

gateways project-a project-b laptops

To create forwarding rules we write them in a temporary file called rules.conf on each gateway (here we use network names instead of public keys for readability).

bridge project-a-public-key laptops-public-key
bridge project-b-public-key laptops-public-key

Then we apply these rules using the mcc apply-forwarding-rules.

mcc apply-forwarding-rules rules.conf

Setting up network certificates

In order to boot all the nodes in the aforementioned configuration we need to establish trust between the neighbours. To do that we add gateways network certificate to every node as trusted. Then we add every other network certificate to every gateway node as trusted. See network-certificates.

See also