0

I have a Raspberry Pi with an ethernet connection on the end0 interface to the 10.15.16.0/20 network. It has a static IP address on this network at 10.20.30.15.

The Pi is also connected to my Tailscale tailnet which is available on the tailscale0 interface.

Tailscale is configured to accept subnet routes from my tailnet. So the 10.192.168.0/24 network is available through the tailscale0 interface. Tailscale also ensures that this route is added to the routing table.

The end0 interface is part of the home zone in Firewalld. tailscale0 is part of the trusted zone.

Logged into the Pi, I'm able to reach the 10.192.168.0/24 network. IPv4 and IPv6 forwarding are also enabled on the Pi.

With Firewalld turned off, everything works! Devices on the 10.15.16.0/20 network are able to reach 10.192.168.0/24 through the Pi (10.20.30.15).

With Firewalld on, forwarded traffic is blocked. Ping even helpfully tells me that traffic is being filtered.

I think Firewalld has something to do with the message, maybe? Anyway...

Failed Ping through 10.20.30.15

I tried adding a Firewalld Policy that has home as the ingress zone and trusted as the egress zone, but this did not work.

I think that a Policy is the way to go, but how should that look?

Here's the policy I wrote

<?xml version="1.0" encoding="utf-8"?> <policy target="REJECT"> <ingress-zone name="home"/> <egress-zone name="trusted"/> </policy>
Improve this question
0

1 Answer 1

Reset to default
0

I'd had 99% of the answer in my question apparently.

The policy was working. I'd defaulted to the REJECT target, so it was rejecting all traffic, as configured.

I could either add services and ports to the policy to let stuff through and filter other stuff.

Or change the target to ACCEPT to allow all traffic through, which is the option I went with.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.