Zerotier Immediate Gateway Unknown

RouterOS RouterOS beta
1

I initially brought this issue up on the Zerotier release announcement thread. It was suggested to start a dedicated one.

I have two routers here that I’m testing Zerotier with. It’s a long established Zerotier network that I’ve been using for a few years now.

Router 1 is a Chateau12
Router 2 is an RB3011

The Chateau connected to my Zerotier network with no issues via LTE. However the RB3011 is displaying the following:
ZTMTIK3011.PNG
The Zerotier Network is not being advertised yet so it’s not a routing issue. You can see from the screen shot that it says Immediate Gateway Unknown.

Bother routers are on the same LAN however that should not be an issue.

The Chateau is connecting to Zerotier via LTE and the RB3011 is bridged to an ADSL modem and connects to the internet via PPPoE.

If I set the default route of the Chateau to the RB3011 it still works correctly.

Firewall rules on both routers are straightforward. There are no custom mangle or raw rules other than some custom RAW drop rules on the RB3011. Even with these disabled the same issue occurs.

Both routers also have the recommended firewall rules at the top of the filter page as recommended on the Mikrotik Zerotier Documentation page. About the only difference is on the RB3011 the Zerotier interface is *31 and on the Chateau it is *13

The RB3011 does have 3 EoIP tunnels two of which use IPsec however the IPsec policies only apply to the tunnels and no other interfaces.

I have removed the Zerotier package on the RB3011, rebooted and reinstalled it. After another reboot still the issue again persists.

MRU on the RB3011’s PPPoE interface was manually configured to 1492. Removing the manual setting and allowing it to default to 1480 still results in the same Immediate Gateway error.

It has me baffled as I can’t see any reason why it won’t work!

2

This * stuff usually means that there is a reference to an unkown interface.
Have you tried renaming the zerotier interface?
Does it look different in the cli?

3

This is a Winbox bug. Check console, it must be OK there. Since Zerotier was just added, Winbox doesn’t support it in some places yet

4

Interesting! Even though I looked a hundred times I never noticed the difference.

The chateau as you can see below is different. On the Zerotier Control Panel they all have the same configuration.

Maybe it’s just the RB3011 hasn’t correctly picked up its configuration from Zerotier though.

Edit - Although I did have the same issue joining a completely new Zerotier Network that i set up for testing.


RB3011 -

Flags: D - dynamic, X - disabled; R - running 
 0    name="zerotier1" mac-address=XX:XX:XX:XX:EF:50 arp-timeout=auto network="XXXXXXXXX"

Chateau -

Flags: D - dynamic, X - disabled; R - running 
 0  R name="zerotier1" mac-address=XX:XX:XX:XX:XX:XX arp-timeout=auto network="XXXXXXXXX" instance=zt1 bridge=no dhcp=no network-name="RS1" 
      status="OK" type="PRIVATE"

The first expanded entry is the Chateau (10.147.20.29), the lower one is the RB3011 (10.147.20.1)
ZT Cpanel.PNG

5

Odd.

If I disable Rule14 it works! Yet the Chateau also has the same rule.
FWRules.PNG

6

disabling that rule is very dangerous. better add accept rule from zerotier1 interface

7

Finally resolved.

It seems the Zerotier package needs to communicate on the localhost address. Adding the following rule to the top of my input rules resolved my issue:

/ip/firewall/filter/add chain=input dst-address=127.0.0.1 action=accept
8

Indeed. I only disabled it for a moment to test if it might have been a firewall issue. And indeed it was! See the post I marked as resolved.

9

Thanks, I was having the same issue (on a 4011 with a regular DHCP isp connection), and that rule fixed it. Is it secure though?

10

That rule is part of the default configuration:

/ip firewall
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
11

It’s secure as in it connects to the Zerotier controller. After that any connection to anything else on your zerotier network is peer to peer so nothing goes through any third party servers.

12

It is on ROS 7. I upgraded my RB3011 from 6.48.4 and I never had a default config on it which is how I missed it.

13

No problem, was just replying to point out that the rule is safe to add.