ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier + Active Directory Authentication

    Scheduled Pinned Locked Moved IT Discussion
    zerotieradactive directoryauthenticationwork in progress
    111 Posts 10 Posters 47.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      @dafyre said:

      @scottalanmiller said:

      @Dashrender said:

      I'm curious though.. what happens when two NICs have IPs in the same range? This would be the case when a laptop is in the office.

      Why would that happen with laptops?

      He means if they use the same IP range for both the LAN and the ZT network... what would happen if a laptop got 192.168.16.16 on the LAN, as well as 192.168.16.16 on the ZT network.

      uh.. no - that shouldn't happen.

      So looking at the ZT docs on creating a bridge: The LAN will use 192.168.0.x and ZT will use 192.168.1.x. DHCP on the LAN will only provide 192.168.0.x addresses so you'll never have a conflict of IPs (wasn't part of my concern)
      But since this is all in the same /22 you now have two adapters on the same network.

      I don't have the docs in from of me, but why is it making two addresses on the same LAN?

      DashrenderD 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said:

        @Dashrender said:

        @dafyre said:

        @scottalanmiller said:

        @Dashrender said:

        I'm curious though.. what happens when two NICs have IPs in the same range? This would be the case when a laptop is in the office.

        Why would that happen with laptops?

        He means if they use the same IP range for both the LAN and the ZT network... what would happen if a laptop got 192.168.16.16 on the LAN, as well as 192.168.16.16 on the ZT network.

        uh.. no - that shouldn't happen.

        So looking at the ZT docs on creating a bridge: The LAN will use 192.168.0.x and ZT will use 192.168.1.x. DHCP on the LAN will only provide 192.168.0.x addresses so you'll never have a conflict of IPs (wasn't part of my concern)
        But since this is all in the same /22 you now have two adapters on the same network.

        I don't have the docs in from of me, but why is it making two addresses on the same LAN?

        because that's how bridging works. Bridging assumes NO routes.. everything is on the same subnet.

        1 Reply Last reply Reply Quote 1
        • DashrenderD
          Dashrender
          last edited by

          https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

          Configure the DHCP Server in the Office LAN to give leases in the range 10.0.0.100-10.0.0.200.
          Configure the ZeroTier portal to manage IP addresses in the range range 10.0.1.100-10.0.1.200. Note how the address ranges are in the same 10.0.0.0/16 subnet, but have a unique pool of IP addresses.

          The instructions have you create a giant subnet /16 the LAN will be on x.x.0.x and the ZT will be on x.x.1.x No routers involved for communication here.

          dafyreD 1 Reply Last reply Reply Quote 2
          • DashrenderD
            Dashrender
            last edited by

            So if I'm reading this correctly, using bridging means that no ZT devices can ever be on the local network, except the one server providing the bridging, which it's doing through a disconnected NIC port that's acting like a switch port.

            The typical ZT clients would need to never be on that same physical network.

            JaredBuschJ A 2 Replies Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch @Dashrender
              last edited by

              @Dashrender said:

              So if I'm reading this correctly, using bridging means that no ZT devices can ever be on the local network, except the one server providing the bridging, which it's doing through a disconnected NIC port that's acting like a switch port.

              The typical ZT clients would need to never be on that same physical network.

              There is no reason they cannot be on the same network.
              I can have my laptop plugged in to the LAN and WiFi at the same time. they get two different addresses. This is no different with ZT. it is a separate adapter.

              Basic IP functions here, nothing complicated.

              DashrenderD 1 Reply Last reply Reply Quote 1
              • dafyreD
                dafyre @Dashrender
                last edited by

                @Dashrender said:

                https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

                Configure the DHCP Server in the Office LAN to give leases in the range 10.0.0.100-10.0.0.200.
                Configure the ZeroTier portal to manage IP addresses in the range range 10.0.1.100-10.0.1.200. Note how the address ranges are in the same 10.0.0.0/16 subnet, but have a unique pool of IP addresses.

                The instructions have you create a giant subnet /16 the LAN will be on x.x.0.x and the ZT will be on x.x.1.x No routers involved for communication here.

                I totally missed that bit before... I think I am going to try it out again. 🙂

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @JaredBusch
                  last edited by

                  @JaredBusch said:

                  @Dashrender said:

                  So if I'm reading this correctly, using bridging means that no ZT devices can ever be on the local network, except the one server providing the bridging, which it's doing through a disconnected NIC port that's acting like a switch port.

                  The typical ZT clients would need to never be on that same physical network.

                  There is no reason they cannot be on the same network.
                  I can have my laptop plugged in to the LAN and WiFi at the same time. they get two different addresses. This is no different with ZT. it is a separate adapter.

                  Basic IP functions here, nothing complicated.

                  Good point - I've done that before too. Though It's my understanding that the default in Windows - when the LAN is connected, the WLAN is ignored.

                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @dafyre
                    last edited by

                    @dafyre said:

                    @Dashrender said:

                    https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

                    Configure the DHCP Server in the Office LAN to give leases in the range 10.0.0.100-10.0.0.200.
                    Configure the ZeroTier portal to manage IP addresses in the range range 10.0.1.100-10.0.1.200. Note how the address ranges are in the same 10.0.0.0/16 subnet, but have a unique pool of IP addresses.

                    The instructions have you create a giant subnet /16 the LAN will be on x.x.0.x and the ZT will be on x.x.1.x No routers involved for communication here.

                    I totally missed that bit before... I think I am going to try it out again. 🙂

                    Well that might be why your Bridge didn't work 😛

                    I don't really want a bridge - I want a ZT to LAN router. Then you could have all of your printers on your production network, all of your users on open/free network, and the ZT would still provide IP access to the printers and their real IPs.

                    The problem with this is putting a route into the local machine that ensures that traffic bound for that routed network goes through ZT, not the default gateway of the end point.

                    dafyreD 1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Dashrender
                      last edited by JaredBusch

                      @Dashrender said:

                      @JaredBusch said:

                      @Dashrender said:

                      So if I'm reading this correctly, using bridging means that no ZT devices can ever be on the local network, except the one server providing the bridging, which it's doing through a disconnected NIC port that's acting like a switch port.

                      The typical ZT clients would need to never be on that same physical network.

                      There is no reason they cannot be on the same network.
                      I can have my laptop plugged in to the LAN and WiFi at the same time. they get two different addresses. This is no different with ZT. it is a separate adapter.

                      Basic IP functions here, nothing complicated.

                      Good point - I've done that before too. Though It's my understanding that the default in Windows - when the LAN is connected, the WLAN is ignored.

                      Not even close to true. Windows does not care about it. You need to set that up in BIOS or have HP/Dell software running to do it automagically.

                      In Windows, you can set adapter order. But some things like Pertino reinstall the adapter when they update and that puts it back on the top of the list.

                      This is where you specify it in Windows.

                      0_1458317895214_upload-011b79a0-a98c-4783-aeaf-3b966706c1d9

                      0_1458317929845_upload-27d5cf25-e179-4a8d-9ef4-f64ba0fa5371

                      1 Reply Last reply Reply Quote 0
                      • dafyreD
                        dafyre @Dashrender
                        last edited by

                        @Dashrender said:

                        @dafyre said:

                        @Dashrender said:

                        https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux

                        Configure the DHCP Server in the Office LAN to give leases in the range 10.0.0.100-10.0.0.200.
                        Configure the ZeroTier portal to manage IP addresses in the range range 10.0.1.100-10.0.1.200. Note how the address ranges are in the same 10.0.0.0/16 subnet, but have a unique pool of IP addresses.

                        The instructions have you create a giant subnet /16 the LAN will be on x.x.0.x and the ZT will be on x.x.1.x No routers involved for communication here.

                        I totally missed that bit before... I think I am going to try it out again. 🙂

                        Well that might be why your Bridge didn't work 😛

                        I don't really want a bridge - I want a ZT to LAN router. Then you could have all of your printers on your production network, all of your users on open/free network, and the ZT would still provide IP access to the printers and their real IPs.

                        The problem with this is putting a route into the local machine that ensures that traffic bound for that routed network goes through ZT, not the default gateway of the end point.

                        I've built one of those... I'll do it again and document it this weekend.

                        1 Reply Last reply Reply Quote 0
                        • A
                          adam.ierymenko @Dashrender
                          last edited by

                          @Dashrender That's not true. If a ZT device is on the same local network, then it will just have two ports that go to the same network. It would be like putting two NICs in the device and running two cables to the same switch. Confusing, but nothing "wrong" with that.

                          ZT emulates a smart Ethernet switch. Think of it the way you would think of a switch. An "active bridge" is a port set to permit bridging to another switch (some smart switches let you control that) while a regular ZeroTier endpoint is a port that only goes to a single device.

                          If you're thinking of it any differently you're over-thinking it. Pertino adds a whole ton of complexity by operating at L3 and none of that applies here. VPNs also add a lot of complexity by fragmenting the network with tunnels and such, and that's also irrelevant. Just imagine a switch with invisible wires going to it.

                          dafyreD DashrenderD 2 Replies Last reply Reply Quote 3
                          • dafyreD
                            dafyre @adam.ierymenko
                            last edited by

                            @adam.ierymenko said:

                            @Dashrender That's not true. If a ZT device is on the same local network, then it will just have two ports that go to the same network. It would be like putting two NICs in the device and running two cables to the same switch. Confusing, but nothing "wrong" with that.

                            ZT emulates a smart Ethernet switch. Think of it the way you would think of a switch. An "active bridge" is a port set to permit bridging to another switch (some smart switches let you control that) while a regular ZeroTier endpoint is a port that only goes to a single device.

                            If you're thinking of it any differently you're over-thinking it. Pertino adds a whole ton of complexity by operating at L3 and none of that applies here. VPNs also add a lot of complexity by fragmenting the network with tunnels and such, and that's also irrelevant. Just imagine a switch with invisible wires going to it.

                            If that were the case, then bridging would be much easier. 😛 (see my latest post on your site.)

                            A 1 Reply Last reply Reply Quote 0
                            • A
                              adam.ierymenko @dafyre
                              last edited by

                              @dafyre I'll take a look, but in my experience bridging is always confusing to set up when you have any boundary between how things like IPs are allocated. One of the things on our to-do list is to ship a preconfigured Raspberry Pi config or image that does bridging easily.

                              dafyreD 1 Reply Last reply Reply Quote 2
                              • dafyreD
                                dafyre @adam.ierymenko
                                last edited by

                                @adam.ierymenko said:

                                @dafyre I'll take a look, but in my experience bridging is always confusing to set up when you have any boundary between how things like IPs are allocated. One of the things on our to-do list is to ship a preconfigured Raspberry Pi config or image that does bridging easily.

                                If you guys decide to do a straight up Linux image, I'll be happy to help test it. I don't have a Pi to test with at the moment.

                                A 1 Reply Last reply Reply Quote 0
                                • A
                                  adam.ierymenko @dafyre
                                  last edited by

                                  @dafyre In the shorter term a more detailed HOWTO would probably be best. We can gear it to Debian since the Pi is Debian and makes a great bridge device, but you could also use a Debian VM or regular machine.

                                  dafyreD A 2 Replies Last reply Reply Quote 3
                                  • dafyreD
                                    dafyre @adam.ierymenko
                                    last edited by

                                    @adam.ierymenko said:

                                    @dafyre In the shorter term a more detailed HOWTO would probably be best. We can gear it to Debian since the Pi is Debian and makes a great bridge device, but you could also use a Debian VM or regular machine.

                                    I'd be happy to help test them as you write them. 😉

                                    1 Reply Last reply Reply Quote 1
                                    • DashrenderD
                                      Dashrender @adam.ierymenko
                                      last edited by

                                      @adam.ierymenko said:

                                      @Dashrender That's not true. If a ZT device is on the same local network, then it will just have two ports that go to the same network. It would be like putting two NICs in the device and running two cables to the same switch. Confusing, but nothing "wrong" with that.

                                      ZT emulates a smart Ethernet switch. Think of it the way you would think of a switch. An "active bridge" is a port set to permit bridging to another switch (some smart switches let you control that) while a regular ZeroTier endpoint is a port that only goes to a single device.

                                      If you're thinking of it any differently you're over-thinking it. Pertino adds a whole ton of complexity by operating at L3 and none of that applies here. VPNs also add a lot of complexity by fragmenting the network with tunnels and such, and that's also irrelevant. Just imagine a switch with invisible wires going to it.

                                      Yeah - I was over thinking that. JB set me straight already. 🙂

                                      1 Reply Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre
                                        last edited by dafyre

                                        Okay, so I took a pot shot at @adam-ierymenko and told him Bridging should be easier... It turns out it is, lol. I blame Microsoft!

                                        Hyper-V has some security features that prevent the system from communicating on the network using a Mac Address that wasn't assigned to it via Hyper-V... There's a fix for that!

                                        In PowerShell, on the Hyper-V host, run the following (it should be typed all on one line... I broke it up for readability)...
                                        *note: This enables the Mac spoofing on ALL NICS attached to the VM.

                                        get-vmnetworkadapter -VMName MYVMNAME|where {$_.SwitchName -eq "MY_HYPERV_SWITCH"}|
                                        set-vmnetworkadapter -MacAddressSpoofing on
                                        

                                        Edit: In VMware, you will need to enable Forged Transmits and Promiscuous Mode on the VM that you run things like this on. I don't have access to a VMware system to chek this.

                                        1 Reply Last reply Reply Quote 2
                                        • A
                                          Alex Sage @adam.ierymenko
                                          last edited by Alex Sage

                                          @adam.ierymenko I have a Pi (the newest one) to test on if you need more testers 🙂

                                          1 Reply Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch
                                            last edited by

                                            Back on the topic of this thread...

                                            I setup ZeroTier on FSLDC02. I put ZeroTier on LT-JARED-01

                                            ZeroTier is IPv6 only at the moment.
                                            0_1458613255829_upload-97c9f487-1490-4a67-a837-5a18ef895ac1

                                            I put the IPv6 address of the DC in the laptops's IPv6 config
                                            0_1458613620862_upload-113cb0ed-359f-485f-be1c-db25ed97645a

                                            I rebooted the laptop and then logged in with a domain user that has never been logged onto the device before. Everything worked fine.

                                            0_1458613455114_upload-071ba76b-c750-4d08-90a9-b8296cd842a9

                                            0_1458613529029_upload-ff8fdb70-206a-4d5b-979f-da4066bcc5d6

                                            AD Authenticaiton works great.

                                            It also works great with IPv4 if you put the ZeroTier IPv4 address in the DNS of the IPv4 adapter.

                                            So AD over ZeroTier is easy to do.

                                            K 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 4 / 6
                                            • First post
                                              Last post