Open darkain opened 5 years ago
cferrey
commented
5 years ago Just curious: does anyone know if this was addressed through a recent update? I was getting this flapping behavior pretty regularly in a bridged-LANs-over-WAN setup, but it stopped about 2-3 weeks ago and everything's been stable since then. I didn't change anything, so am wondering if this got patched.
laduke
commented
5 years ago Seems like a small change... but how to specify it?
Should just using -p on the commmand line turn off secondary port and upnp port? That's probably not what you want most of the time. Most users are behind NAT.
'secondaryPortEnabled': true|false to go along with portMappingEnabled?
or how about
'maxBindPorts': 1-32 (default 3) heh
KBrownConsulting
commented
5 years ago I think I'd vote for something along the lines of option 2... Clear individual options for controlling whether UPnP & the secondary port are enabled or disabled.
darkain
commented
5 years ago For firewall security reasons, I need the ability to fully control all incoming/opened ports on my server/router. This is ESPECIALLY true when talking about security audit compliance, such as PCI-DSS. Every open port must be justified to an external audit company, and with ZT arbitrarily opening additional ports if there are ANY issues at all with the defualt 9993 just causes havoc for these security audits (as well as the route flapping issue causing 100% CPU usage and dropped packets)
joseph-henry
commented
5 years ago @darkain Thanks, we've added the ability to turn off any non-primary port assignments via:
'secondaryPortEnabled': true|false
Teteros
commented
5 years ago This landed in 1.4.0 stable, but the config setting is actually allowSecondaryPort (true/false, where false disables the extra port bindings.)
secondaryPortEnabled doesn't even exist in the code.
I assume this basically also sets portMappingEnabled to false as well?
Describe the bug Relates to the issues with: https://github.com/zerotier/ZeroTierOne/issues/779
If a connection cannot be established on the primary port (usually 9993), then ZeroTier will pick an arbitrary port to try and use instead. This defeats the entire purpose of having a primary port configuration. I have specific firewall rules in place for 9993 for a combination of security and to deal with issue #779. However, at some point ZT added support to "try other ports" that are outside of the configuration, which means the firewall rules in place for #779 no longer work, which means route flapping returned, broken connections, and excessively high CPU usage again. I also tried disabling port mapping to see if that was the issue, but this didn't resolve the issue either. There needs to be a way to force ZT to use one port and one port ONLY.