Prevent exposing ZIP network to physical network


#1

Hi there,

I might be missing something super simple here, but I am trying to cut the bridge between my physical network and ZIP network and still being able to access ZIP gateway from local process.

here is my tun file:

#!/bin/sh

case "$1" in
  up)
    ifconfig $TUNDEV | grep "\s*UP" > /dev/null || {
      ifconfig $TUNDEV up
      brctl addif br0 $TUNDEV
      ip -6 route add $HANPREFIX via $LANIP
      exit 0
    }
    ;;
  down)
    ip -6 route del $HANPREFIX via $LANIP
    brctl delif br0 $TUNDEV
    ;;
esac

ifconfig:

br0       Link encap:Ethernet  HWaddr 00:15:BC:22:8B:D4
          inet addr:192.168.86.57  Bcast:192.168.86.255  Mask:255.255.255.0
          inet6 addr: fd00:5b01::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fd00:5b66::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fe80::215:bcff:fe22:8bd4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16311 errors:0 dropped:0 overruns:0 frame:0
          TX packets:405 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2661327 (2.5 MiB)  TX bytes:54419 (53.1 KiB)

eth0      Link encap:Ethernet  HWaddr 00:15:BC:22:8B:D4
          inet6 addr: fd00:5b2f::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fd00:5b01::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fd00:5e16::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fd00:5b66::215:bcff:fe22:8bd4/64 Scope:Global
          inet6 addr: fe80::215:bcff:fe22:8bd4/64 Scope:Link
          inet6 addr: fd00:5ba2::215:bcff:fe22:8bd4/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:66091 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9587 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11592257 (11.0 MiB)  TX bytes:2201844 (2.0 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:549 errors:0 dropped:0 overruns:0 frame:0
          TX packets:549 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:66184 (64.6 KiB)  TX bytes:66184 (64.6 KiB)

tap0      Link encap:Ethernet  HWaddr 9A:37:82:D6:71:AD
          inet6 addr: fe80::9837:82ff:fed6:71ad/64 Scope:Link
          inet6 addr: fd00:5b00::9837:82ff:fed6:71ad/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:395 errors:0 dropped:3 overruns:0 frame:0
          TX packets:10554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:51873 (50.6 KiB)  TX bytes:2001479 (1.9 MiB)

I tried to remove brctl addif br0 $TUNDEV line but it makes the ZIPgateway unaccessible from local host.


#2

Dear Ali,

The ZIP gateway requires a DHCP server to work with IPv4. This is normally your LAN router in which case the ZIP gateway is exposed in the LAN. You may however install a DHCP server locally on the RaspberryPi, to keep everything locally.

An other option is to remove the ZIP gateway tap interface from the br-lan and use the ZIP gateway IPv6 address instead. You can find the ZIP gateway IPv6 address in /usr/local/etc/zipgateway.cfg. The ZIP gateway ip is ZipLanIp6, and all devices in the network will get an ip from ZipPanIp6. In this case the DHCP server is not required.

I hope you can get this working,

BR
Carsten


#3

hey Carsten,

Thanks for the reply, I do actually run the gateway only in the IPv6 mode, here is how my config file looks:

#Mon Oct 30 12:08:17 GMT 2017
ZipIp4Disable = 1
ZipPanIp6 = fd00:bbbb::1
ZipSerialAPIPortName = /dev/ttyAPP4
ZipLanIp6 = fd00:5c32::1
ZipUnsolicitedDestinationPort = 59121
ZipUnsolicitedDestinationIp6 = fd00:5c32::215:bcff:fe22:8e38
ZipPSK = [SOMESECUREKEY]

but still the problem remains how to configure the tun file so the connection between zip network and eth interface is broken but still zip gateway stays accessible in local network. thanks again for all the help


#4

Preventing zipgateway from being exposed to the rest of the network is as easy as not adding its tapX interface to a bridge interface. In this “local-only” mode your application will communicate directly with zipgateway over the tapX interface.

The whole point of zipgateway is to provide networked access to Z-Wave devices to devices over an IP network. An idealized example of this would be a zipgateway running in your home, providing access to your Z-Wave devices to applications on your Smart Phone or other networked devices in your home. There’s no benefits to locking zipgateway away from the network.


#5

Thats actually great hint, thanks for the help Hanskraner