A plus would be to block the connections originating from the mesh (and with destination the local hosts out of the mesh, see figure) but to allow the connections originating from the local hosts (and with destination the hosts in the mesh).
A scenario (actually happened) is an institution willing to expand the mesh and to use it for accessing sensors (connected to the mesh). The institution wants to access the sensors but does not want the rest of the mesh to access its internal hosts.
This issue is independent from allowing or denying internet access (which would also need some documentation!).
Topic started on the mailing list, see first email and my attempt of solution which seems that does not work.
A plus would be to block the connections originating from the mesh (and with destination the local hosts out of the mesh, see figure) but to allow the connections originating from the local hosts (and with destination the hosts in the mesh).
A scenario (actually happened) is an institution willing to expand the mesh and to use it for accessing sensors (connected to the mesh). The institution wants to access the sensors but does not want the rest of the mesh to access its internal hosts.
This issue is independent from allowing or denying internet access (which would also need some documentation!).