zerotier

knx90

... new - maybe in the future i will need to know how to connect diffrent locations company into one network. So im looking best solutions, not only ZeroTier solutions or something like that.

Larsa

- DNS
- DHCP
- NTP
- Winbox
- WebFig
- Rest API
- SSH
- IPSec
- L2TP/PPTP/SSTP
- Wireguard
- ZeroTier
- OpenVPN
- SNMP
- BGP/OSPF/RIP/MPLS
- FTP
- CAPsMAN
- RoMON

knx90

... address-pool=dhcp_1 interface=LAN name=dhcp_1 /ip smb users set [ find default=yes ] disabled=yes /system logging action set 0 memory-lines=75 /zerotier set zt1 disabled=no disabled=no /zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\ zt1 name= ...

I would first create a supout.rif file and file a support ticket so they can already look into it.

Next step would be to netinstall that device and see what happens then.
But I would not do that until you received feedback from support ...

nullemotion

Hi. My setup: hAP ax^3, RouterOS 7.19.1, zerotier package 7.19.1. Install zerotier package, reboot, go to Zerotier/Instance, enable zt1 instance and get status "failed". Enable logs for Zerotier and get this one every time when i try ...

sebastia

FYI: looks like related to zerotier node

mndtrp

... DO NOT INSTALL THIS if you use it for something important. Can you also share the other packages related to the nightly builds? I use ZeroTier and would like to be able to completely test the nightly builds. FYI: Already running the 7.21_ab85 build including ZeroTier which was shared ...

lurker888

... package is ingested and injected through the (virtual) interface of the tunnel. L2 encapsulations, such as EoIP, L2TP, OpenVPN (ethernet mode), ZeroTier are handled similarly, but additionally bridging is involved. IPSec (policy based) is special and nasty. That's why it's usually not incorporated ...

sirbryan

We currently don't plan to support 3rd party relays, but it's an interesting idea worth considering. Yes, like self-hosted ZeroTier. A variation on this theme is to use BTH as a tool to enable ISPs/MSPs to remotely manage both routers (which I can usually get to) and internal devices, ...

unlikely

... included references to paths like /usb/ros-data/logs/diskFirewall, but the new CCR2004 no longer accepts /usb/... and instead requires usb/.... - ZeroTier instance names are not restored automatically and must be manually changed before import. - Handling users and groups is extremely challenging. ...

unlikely

... start, and Ethernet interfaces have different names, just to mention a few of the issues I observed. Strangely, internet access to the router via ZeroTier still functions. - Restoring from an exported configuration also fails to fully recover the system. Users and groups are missing, containers ...

keskol

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions: no routerboard: no attempt-count: 0

anav

... IP or an upstream ISP router where you can forward ports, suggest using wireguard for your friends to get to your router to game securely or even zerotier networking. By the way it seems as you have VPN subnet, but your text said no need, so confusing to see it there. Set this to none, known to ...

ironm

... tr069-client-7.18.2-arm64.npk ups-7.18.2-arm64.npk user-manager-7.18.2-arm64.npk wifi-qcom-7.18.2-arm64.npk wireless-7.18.2-arm64.npk zerotier-7.18.2-arm64.npk

anav

... your friends are and then have them wireguard into your router and then give them access through firewall rules to the servers they need. OR Use zerotier to connect friends to your servers. No one these days hosts gaming servers or the like as its to hard protect properly and often your ISP shuts ...

anav

... list=authorized comment=userBob add address=myhobby.com list=authorized comment=userDavid Overall, much safer to get users to wireguard in, or zerotier in to reach your server............

unlikely

The only other approach is abuse BackToHome (BTH) - that does deal with CGNAT and is just WireGuard under the covers. i.e. if a site had a fixed public IP, and LTE back... BTH be same as WG when "primary WAN", but if failover BTH "proxy" WG via LTE CGNAT. The issue is @normis re...

unlikely

Well, since you're not listening to my advice or bothering to answer my questions, you're on your own. Good luck! I’m open to all advice and suggestions and truly appreciate everyone’s contributions. However, I still want to address or at least better understand my initial issue. You’ve stated that...

Larsa

Well, since you keep repeating yourself over and over again, don't listen to @Amm0's or my advice, and don't even bother to answer my questions, you're on your own. Good luck!

unlikely

Support gave you an adequate answer. You can run whatever L2 traffic you want over Zerotier, but you need to know how to manage it with flow rules. And yes, it works as expected. I don't think I can agree. To me it doens't seems a correct L2 behavior. It is not as ...

Larsa

Support gave you a proper answer. You can run any L2 traffic you want over Zerotier, but you need to know how to manage it using ZT flow rules together with correct ROS routing and firewall rules. And yes, it works as expected. Have you checked your firewall ...

unlikely

... correctly in my setup when bridging is enabled on two MikroTik nodes (CCR2004 running ROS 7.18.2 and RB5009 running ROS 7.18.2 or 7.19beta8) on ZeroTier Central. When bridging is disabled, OSPF adjacency is maintained for a short period. However, if I disable and re-enable the OSPF instance ...

Larsa

Just a tip, @unlikely: make a full network topology diagram, do a complete export, start packet sniffing, turn on OSPF logging, and if you still think there’s a bug somewhere, send everything over to support. But I still don't get why you're insisting on using L2 instead of just doing it the normal ...

Larsa

@xrlls, you should probably open your own thread since it gets complicated when mixing two different use cases in the same thread.

unlikely

I think OP isn't actually bridging zerotier on RouterOS bridge – although be to confirm... OP is just checking the "Allow Bridging" option on the ZT controller, AFAIK...

Correct.
ZeroTier interface is not part of any bridge.
So the answer from Mikrotik is more puzzling.

Larsa

@Amm0; Yeah, exactly. It might be something as simple as a firewall blocking the LSA packets. If they sniff the packets and turn on OSPF LSA logging, they should be able to figure out pretty quickly what's actually going on.

unlikely

... since OSPF broadcast should "just work" (without bridging IMO). Perhaps check /tool/sniffer to see if OSPF multicast is even hitting the zerotier interface (and ideally on far-end, to see if got there) – that confirm if ZT config issue, OR, bug in ZT+OSPF on RouterOS. Also, you don't ...

Amm0

Maybe @Amm0 can help you out here.

@Amm0 already explained to look at sniffers, or lab a smaller example. But ZeroTier "L2" should be transparent to "L3" [multicast] OSPF.

Larsa

@xrlls, like I told @unlikely, there’s no way to give you a real answer because you haven’t shared a full network topology or explained what you’re actually trying to do. From what I can tell, it sounds like you’re a bit unclear on basic L2/L3 networking. Maybe @Amm0 can help you out here.

Amm0

... L2 network, that is not what I am doing, and I agree that in such a configuration OSPF does not make sense. I think OP isn't actually bridging zerotier on RouterOS bridge – although be to confirm... OP is just checking the "Allow Bridging" option on the ZT controller, AFAIK...

Larsa

@unlikely: There is no way to give you a real answer because you have not shared a complete network topology or explained your actual goals.

Without that, any suggestion would be pointless guessing.

xrlls

My point is that I think OSPF is less work. While I understand that routes can be pushed through Zerotier, relying on it, would require me to maintain both the Zerotier routing configuration and another route distribution method for the non-Zerotier connections. So I would ...

Amm0

... collect some sniffer or re-create small example of it not working in lab/CHRs/etc. If repo-able in small setup, that seem like a bug to MikroTik. ZeroTier should be transparent to OSPF – now OSPF then be connected everywhere, so that have be considered in your OSPF design. This simple example ...

unlikely

@unlikely, I get what you are saying about using ZeroTier as backup and your WireGuard links not needing static neighbor setup. BUT still, the same idea I mentioned to @xrlls applies here. If you already have ZeroTier in the mix, running OSPF on ...

Amm0

There are also few non-OSPF routers connected by Wireguard to the hub and few direct wireguard links between most important sites. ZeroTier is kind of a backup for wireguard. ZeroTier is slower with our slow connections. And I don't want to rely on routes manually defined in ZeroTier network. ...

Larsa

@unlikely, I get what you are saying about using ZeroTier as backup and your WireGuard links not needing static neighbor setup. BUT still, the same idea I mentioned to @xrlls applies here. If you already have ZeroTier in the mix, running OSPF on ...

unlikely

... the shared L2 domain, but that still leaves me wondering why you would want to do it this way. If all routers are already L2-connected through ZeroTier, it feels a bit like connecting a big switch to all your subnets instead of properly routing between them. I mean, wouldn't it be simpler and ...

Larsa

@xrlls, I think I get your reasoning, but I also think you are unnecessarily complicating things. If you're already using ZeroTier, then running OSPF on top of it is simply redundant. ZeroTier can fully handle dynamic route distribution and failover without needing a separate routing ...

unlikely

Easy configuration of OSPF. For Wireguard is is necessary to configure static neighbors. While for Zerotier (and L2 in general) it just works, as the neighbors are automatically discovered through multicast. For me ZeroTier is kind of a backup. I have some ptp wireguard ...

Amm0

I might ask the other way, what would your recommendation instead? You can use ZT to push any route. ZT does not care if the destination is within ZT's IP range — ZT is agnostic on gateway so you can often use ZT for just route distribution. And RouterOS will happy add whatever it gets from ZT dire...

xrlls

@unlikely I tried enabling bridging for the Zerotier endpoint (Rb5009, 7.18.2) not working and … heureka… it started working! I then disabled bridging again, and the multicast traffic stopped arriving on the RB5009. Enabling bridging on the non-working ...

Larsa

I mean some of the routers partecipating in OSPF are connected all to the same ZeroTier network / L2 domain, so brodcast mode should be possible. But every routers also belongs to other networks. Thanks for the clarification. I get that OSPF can work over the shared ...

unlikely

... problem, I previously stated that it works for me… and it does… on some of my routers. I currently have 3 MikroTik routers connected to the same ZeroTier network, and OSPF is working on two of them over Zerotier. On the third, a RB5009, running 7.18.2, I only see outgoing multicast traffic, no ...

Michiganbroadband

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions: no routerboard: no attempt-count: 0 after I set them today: (again) > /system device-mode ...

anav

... if at all possible, if you must....... do you really have to???? a. use VPN for users to access subnet locations ( such as wireguard ) b. use zerotier for users to access subnet locations c. If you have to port forward, (i) ensure that the server is capable of a high level of encryption ( ...

Michiganbroadband

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions:no routerboard:no This looks very restrictive. I changed all of the values as instructed ...

xrlls

... problem, I previously stated that it works for me… and it does… on some of my routers. I currently have 3 MikroTik routers connected to the same ZeroTier network, and OSPF is working on two of them over Zerotier. On the third, a RB5009, running 7.18.2, I only see outgoing multicast traffic, no ...

rextended

... install-any-version = no # flagging-enabled = yes # flagged = no # allowed = scheduler,fetch,bandwidth-test,sniffer,ipsec,romon,hotspot,smb,email,zerotier # forbidden = socks,pptp,l2tp,traffic-gen,proxy,container,partitions,routerboard

AndreyUkraine

Good day everyone, Sorry for my English, I'm from Ukraine, and I have a problem. I have 5 routers connected via ZeroTier network, and PIM-SM is configured everywhere, but I need specific settings. I need my clients to be in the UIB SG on the RP router, even when they are turned ...

unlikely

The OP said " OSPF over a ZeroTier L2 domain (so mode broadcast), " which sounds a bit contradictory. I mean some of the routers partecipating in OSPF are connected all to the same ZeroTier network / L2 domain, so brodcast mode ...

unlikely

... had OSPF infra, perhaps with non-ZT things, and there OSPF over ZT would seem reasonable. But if you're using OSPF for route distribution ONLY for ZeroTier, that would seem silly. My idea was to use ZT as a secondary way for distributing routes and route packets among routers when better ways fails ...

poisons

I want to see the same option in built in zerotier client, but as far as i see mikrotik team not provide any updates for build in zt client, so there is no pain to install zerotier client as container, where you may modify all necessary settings, like custom planets and so on.

Larsa

The OP said " OSPF over a ZeroTier L2 domain (so mode broadcast), " which sounds a bit contradictory. OSPF is basically a L3 routing helper, so I don't get how Layer 2 fits into the picture after reading the thread. I can understand ...

Amm0

Larsa makes good points. Personally I'd use ZT routes if possible, since it just so simple.

I've assumed OP already had OSPF infra, perhaps with non-ZT things, and there OSPF over ZT would seem reasonable. But if you're using OSPF for route distribution ONLY for ZeroTier, that would seem silly.

Larsa

There is absolutely no distinction in the type of devices used by ZeroTier. It can be ten smartphones or ten routers connecting the same number of subnets. What matters is the number of activated devices listed in the management console. Also, there's no ...

StubArea51

ZeroTier doesn’t have visible “routes”, just virtual networks and devices/routers associated to a virtual network. Since last year, new free accounts get 10 devices/routers total, while older accounts had 25 (still valid). ...

rextended

... email=yes fetch=yes \ hotspot=yes ipsec=yes l2tp=yes pptp=yes proxy=yes romon=yes scheduler=yes smb=yes sniffer=yes socks=yes traffic-gen=yes \ zerotier=yes install-any-version=yes partitions=yes routerboard=yes After reboot Install by downgrading on system/packages with 7.6: https://download.mikrotik.com/routeros/7.6/routeros-7.6-arm.npk ...

Larsa

ZeroTier doesn’t have visible “routes”, just virtual networks and devices/routers associated to a virtual network. Since last year, new free accounts get 10 devices/routers total, while older accounts had 25 (still valid). ...

StubArea51

... but why even bother using OSPF on a Layer 2 network? Even using OSPF with IP seems kind of weird since all internal routing is already built into ZeroTier, right? Maybe I’m missing something here... There are a few use cases for it. 1) ZeroTier's controller under the free version can only hold ...

Larsa

Just curious, but why even bother using OSPF on a Layer 2 network? Even using OSPF with IP seems kind of weird since all internal routing is already built into ZeroTier, right? Maybe I’m missing something here...

unlikely

What I have is this: Thanks. I can't see anything special or substantially different from my setup. When I turn off bridging in ZeroTier Central for my Mikrotik Node, I can't see anymore OSPF traffic logged by my very first Raw Prerouting firewall rule. OSPF log in Mikrotik only show ...

xrlls

What I have is this: /zerotier/interface> /zerotier/interface/print detail Flags: D - dynamic, X - disabled; R - running 0 R name="zerotier1" mac-address=3E:65:02:6A:A1:37 mtu=2800 arp-timeout=auto network="xxxxxxxxxxxxxx" ...

unlikely

... working... it might worth a ticket to Mikrotik at help.mikrotik.com. Include a supout.rif if you do file a ticket. I can confirm that OSPF over ZeroTier is generally working when bridging is enabled for Mikrotik routers nodes. But as soon I remove the bridging it stops working, and restart as ...

unlikely

... it should just work. The only issue I had was relating to firewall, where I needed to allow OSPF (or any other traffic for that matter) on the Zerotier interface. With broadcast/multicast? Without static neighbors? I think my firewall it's ok because with bridging enabled, OSPF is working. ...

Amm0

Seems a Mikrotik thing. Perhaps. Someone else had similar issues with OSPF broadcast mode and ZeroTier: https://forum.mikrotik.com/viewtopic.php?p=1118612#p1118520 There too, I thought it was flow rules, but OP was using Mikrotik controller which has NO flow rules. And ...

xrlls

... it should just work. The only issue I had was relating to firewall, where I needed to allow OSPF (or any other traffic for that matter) on the Zerotier interface.

unlikely

Thanks for reply.
Default flow rules allow for ip4, ip6 and arp, so ospf should be included.
By the way I also tried to put just accept and still doens't work on Mikrotik.
But it works on OPNsense with default or permissives flow rules and without bridging enabled.
Seems a Mikrotik thing.

Amm0

You may need to change the "Flow Rules" for the ZT network on my.zerotier.com (see ZeroTier docs: https://docs.zerotier.com/rules/#rule-definition-language generally or examples here https://www.zerotier.com/blog/using-flow-rules-to-direct-users-to-services/ ...

unlikely

I'm trying to setup OSPF over a ZeroTier L2 domain (so mode broadcast) among two Mikrotik routers and an OPNsense box. Apparently "Allow Ethernet bridging" should be enabled on ZeroTier central for the Mikrotik routers otherwise ...

wynieDB

... title suggests, are there any plans of allowing packages for RouterOS to be created by community members? My reason: I am aware of a WireGuard and ZeroTier package which I assume was developed by MikroTik themsevles. On a project at work I decided to make use of Netbird which is a fantastic self-hosted ...

Larsa

... is a nightmare without proper enterprise-grade network management tools. If your Mikrotik routers are ARM based, I strongly recommend checking out ZeroTier that is part of ROS v7. It supports Layer 2 bridging and can scale to manage hundreds or even thousands of networks and devices with ease. ...

bradkuhl

The simplest approach is probably to go with regular routing: 1. In the Zerotier's management console -> Network Management -> Managed Routes , add 'destination' 10.252.0.0/24 'via' 10.10.10.3 2. On Router 3, add: ' /ip route add dst-address=10.252.0.0/24 gateway=vlan50 ...

Larsa

The simplest approach is probably to go with regular routing: 1. In the Zerotier's management console -> Network Management -> Managed Routes , add 'destination' 10.252.0.0/24 'via' 10.10.10.3 2. On Router 3, add: ' /ip route add dst-address=10.252.0.0/24 gateway=vlan50 ...

bradkuhl

I have 3 locations linked with zerotier. All three have different subnets. This is working. I can access all three subnets from any location and from any ZT connected device (laptop) from a remote location. All the routers are mikrotik. ...

liveup

Routeros started zerotier, but when I started bitcomet, it caused zerotier to disconnect

anav

For a secure connection suggest wireguard, assuming you have at least on public IP available at one of the routers, or the ISP router in front is capable of forwarding ports.
Alternatively use Zerotier.

newhotelowner

... But I haven't figure out how to make Cuddy exit node, so that all internet traffic on VLAN goes through office wan (cuddy). - Or, alternatively, ZeroTier controller (generally, my.zerotier.com) lets you set routes too. So instead of above you can use ZeroTier to define a

Amm0

... Mikrotik, you can avoid the NAT translation since both sides will know how to route between 192.168.88.0 and 192.168.10.0/24 - Or, alternatively, ZeroTier controller (generally, my.zerotier.com) lets you set routes too. So instead of above you can use ZeroTier to define a routes as show above. ...

newhotelowner

This is my current setup. Screenshot 2025-04-09 165808.jpg My work and home routers are connected over zerotier. I am able to directly access work devices though zerotier at my home. Example, My SIP phone at home is connected to my SIP gateway at work. I set up zero tier on ...

lurker888

... the SFP port of the micorSD slot, this is really not good value for money. Since you're interested in VPNs, only ARM (and ARM64) devices support ZeroTier in Mikrotik-land, so this does not. All the others I list below support it. It's also by far the weakest in terms of performance. I think your ...

rextended

... email=yes fetch=yes \ hotspot=yes ipsec=yes l2tp=yes pptp=yes proxy=yes romon=yes scheduler=yes smb=yes sniffer=yes socks=yes traffic-gen=yes \ zerotier=yes install-any-version=no partitions=yes routerboard=yes for previous versions some items like install-any-version=no partitions=yes routerboard=yes ...

dricce

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions: no routerboard: no attempt-count: 0 Error: /tool/flood-ping address=192.168.1.1 count=200 ...

Larsa

... a compromised PC on your LAN that’s part of a botnet. P.S. Never, ever open any ports from the router to the internet. Use a VPN like WireGuard or ZeroTier instead.

t4thfavor

Same problem, it used to work, but I recently upgraded to 7.17 or 7.18 and now none of my zerotier stuff works. No changes.

anav

Look at zerotier to share gaming server............

anav

... Option2 You could do it right away with regular wireguard VPN if your router is an MT router. Preferred Option 1 Another alternative is to use zerotier which connects routers at layer2, but uses cloudflare secure servers. This is available right away as well. Preferred option 3

jimmyz

... 1 wifi-qcom 7.18.2 2025-03-11 11:59:04 10.2MiB 2 rose-storage 7.18.2 2025-03-11 11:59:04 3136.1KiB 3 routeros 7.18.2 2025-03-11 11:59:04 12.3MiB 4 zerotier 7.18.2 2025-03-11 11:59:04 836.1KiB 5 container 7.18.2 2025-03-11 11:59:04 100.1KiB 2,4GHz interface is disabled, only 5GHz is active. The ...

Josephny

... 2 rose-storage 7.17.2 2025-02-06 09:10:24 3128.1KiB 3 lora 7.17.2 2025-02-06 09:10:24 8.1KiB 4 extra-nic 7.17.2 2025-02-06 09:10:24 2208.1KiB 5 zerotier 7.17.2 2025-02-06 09:10:24 836.1KiB 6 user-manager 7.17.2 2025-02-06 09:10:24 332.1KiB 7 ups 7.17.2 2025-02-06 09:10:24 32.1KiB 8 tr069-client ...

loloski

form a private network using zerotier together with the other participant and spawn your private server inside zerotier network and you are done

gpetrom

... '', 'scheduled': '', 'size': '376977', 'available': 'True', 'disabled': 'True'}] Router RBwAPGR-5HacD2HnD [True, {'.id': '*10', 'name': 'zerotier', 'version': '', 'scheduled': '', 'size': '790673', 'available': 'True', 'disabled': 'True'}] After upgrading to 7.19beta5 same thing happens ...

Jeroen3

Hello all, My RB5009UG+S+ on 7.18.2 with ZeroTier configured. There is an internet connection over ether1 vlan 6 via pppoe. It appears as though zerotier loses it's connection. There is ability for ping, but no real traffic is able to flow. Resetting ...

dcavni

... accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=forward comment="Zerotier Forward" in-interface=zerotier1 add action=accept chain=input comment="Zerotier Input" in-interface=zerotier1 add action=accept ...

luckylinux

I already faced the Issue in the Past where I had to remove Packages (e.g. Zerotier) from the CRS317-1G-16S+RM Device just to be able to install Updates. But what a PITA. At least expand flash *a bit* for some Packages that don't require SLC due to frequent writes ...

anav

... to forward ports, or ask the ISP provider and they forward ports upon your request. If not , then you cannot port forward. Alternatives, - use Zerotier and connect users to your servers that way ( at least for external users ). - use BTH wireguard and have users access your servers over wireguard, ...

techmulti

Good afternoon, Having this issue if someone can enlighten me if this is possible to do. I have added a zerotier network between two mikrotik devices one situated at my home and one at my office. HQ Network subnet is 192.168.0.0/24 HQ Network has other subnets connecting to ...

Anthemous

... and they all work perfectly, specifically this router is behind a LTE which gives Internet to the rest of the network, it is also connected to zerotier net without any problem so far and actually some test I did with OPVN also worked normally , without problem and this, only Wireguard (from ...

Anthemous

... mtu=1420 name=back-to-home-vpn /interface list add comment=defconf name=WAN add comment=defconf name=LAN /port set 0 name=serial0 /zerotier set zt1 disabled=no disabled=no /zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\ zt1 name=zerotier1 ...

... frames (EtherType 0x88bf). But in cases where this is not working, you can circumvent it with workarounds. E.g. from home I can connect using Zerotier to a customer RB5009 105km away from me, that one has MPLS connections to 30 other locations all over the Northern part of Belgium. That MPLS ...

Amm0

... upcoming 5G products, a new LMP 5G that show "16MB Flash". So while perhaps RouterOS without wifi fit okay, if you add something like zerotier, which is handy with LTE, you'd also be close to 16MB today. IMO 16MB flash is a risk since it's so close, that even stuff #bad blocks comes ...

... even have to be static (but it makes it easier if it is). Obviously, if there is no public reachable IP address, then you need something to get Zerotier or Back To Home or ... whatever, running. SXT will simply be a gateway to that device then.

anav

... another good option that would allow you to use BTH. So either way the hex refresh is a good option. Once you have the hex, another options is zerotier which is more complex but gets around not having a public IP. So do not despair, will get you to a useful setup!

rralex89

... put them behind a VPN as my family is using my webserver quite heavily so cloudflare tunnel might be the best solution. I will investigate what zerotier is as i have absolutely no ideea. I used to have a server to RSYNC over ssh. That rule i need to delete indeed as i'm not using it I will also ...

tryrtryrtryrt

... prefer default config and especially updates not to create bogus interfaces. P.S. Somewhere before 7.16.1 similar thing happened with addition of /zerotier set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993 After updating ...

anav

... you dont have access to a public IP) and you and others can access the resources on your LAN behind a VPN, safely!! Another option would be to use Zerotier to do something similar.

anav

... set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list =TRUSTED Note: Consider other options for servers. Zerotier will allow you to link user to servers quite easily and securely. Wireguard another VPN would allow you to give access to servers securely ...

cubitihon

... changes". This will reboot and your interfaces should magically appear. (If you're new to the device, I would also select the "zerotier" package just in case you will want to play around with it.) you are right, in the packages have two wifi packages and wifi-qcom is disable, ...

lurker888

... changes". This will reboot and your interfaces should magically appear. (If you're new to the device, I would also select the "zerotier" package just in case you will want to play around with it.)

mndtrp

... not imported. Because Device Mode is reset during this process. 5. Reconfigured Device Mode. system/device-mode/update mode=home partitions=yes zerotier=yes scheduler=yes 6. The following configuration was not imported during Netinstall. /routing rule … /system scheduler … /system script … /tool/netwatch ...

Something which hasn't been updated since 2021 ?
Why would you do that ??

Consider Zerotier or Wireguard.
Both are available for ROS.

Thread closed.

ilium007

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions: no routerboard: no attempt-count: 0 [admin@MikroTik] /system/device-mode> /system/routerboard/settings/set ...

JohnTRIVOLTA

I use the same model for the backup connection over a year!
Currently i have set the device with the following VPNs :
Permanent - OpenVPN with server and client certificates. Additional - Wireguard/BTH/ and Zerotier!
The radio use for country Australia for best coverage!

Larsa

A modern alternative to DMVPN is an SD-WAN solution like ZeroTier, which is built into RouterOS. If you need both, you can integrate DMVPN with ZeroTier.

... this error message in log on wAP AX. Another wAP AX upgraded just fine, so did AX Lite and AX2. 0x17e0d0 manual upgrade request failed, no file (zerotier-7.19beta2-arm.npk) There was no zerotier present on that wAP to begin with, so why should it be there ? I've seen that same issue as well on ...

utiker

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: no install-any-version: no partitions: no routerboard: no attempt-count: 0 [admin@MikroTik] /system/routerboard/settings> This ...

sinisa

... more things that could be removed/made optional on a ROUTER without hurting it's function. And I also don't like to have on my router: BTH, Zerotier, nor any other "cloud" service that I don't control in full (but I understand that not everyone knows how to set up their own VPN). ...

ff101

Hello together I have set up a ZeroTier VPN network. On one side I have a Teltonika cellular router with port forwarding from port 8080 to a web server behind it (port 80). I have tested the connection with a notebook connected to ZeroTier ...

anav

... for config purposes or its subnets when at a coffee shop or hotel. c. they cannot afford to host CHR on a cloud device. d. do not want to use zerotier between two MT routers. So the configuration you show, is a standard client peer for handshake connecting to a server peer for handshake scenario. ...

fctech2490

... the issue in depth, I noticed that I am unable to pull images that have the format <repository>:<tag> For example, I can successfully pull: zerotier (zerotier/zerotier:latest | Docker Hub) cloudflared (cloudflare/cloudflared:latest | Docker Hub) However, I cannot pull: alpine (alpine:latest ...

fctech2490

... work unless you update to 7.18. Hi, I can confirm what you reported. After upgrading to version 7.18beta6, I was able to successfully pull the zerotier/zerotier:latest and cloudflare/cloudflared:latest containers from the registry at https://registry-1.docker.io. However, I am still experiencing ...

jvincze84

... name=vlan200-cams /ip smb users set [ find default=yes ] disabled=yes /snmp community set [ find default=yes ] addresses=0.0.0.0/0 /zerotier set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" name=zt1 port=9993 /zerotier interface add instance=zt1 ...

NA9D

Hi all, It's my understanding that ZeroTier can be configured to allow layer 2 traffic to pass across the VPN. I have a situation where I would like to send broadcast UDP traffic between a remote machine and one or more machines on my LAN. ...

... daily hits 40-50% and that's when a morning 11gb copy job to NAS passes over wireguard. Other then that, usually less than 10%. Normal router, zerotier, wireguard, multiple vlan, dhcp, local dns, less then 25 FW rules, cake- queue applied to WAN, capsman, ...

anav

sounds like a discord discussion to be had, but first I have to read up much more on zerotier.

Amm0

... file allow a bunch of mode and control over how outbound tunnel are established. Bonding is just one, and that's the problem. See https://docs.zerotier.com/multipath/. But before @Larse chimes in, I'd add even the more simple "Low Bandwidth Mode" option - which is bool / "checkbox" ...

anav

Hi ammo, use Elmers Glue !!

But what does that have to do with ops comment, so many fast fail over options???

Amm0

for those of not in the know, can you describe what zerotier mulitipath would let you do............ in basic terms. Bonding WAN connections is one setting allowed by ZeroTier's "multipath" support. They have a "balance-aware" ...

anav

for those of not in the know, can you describe what zerotier mulitipath would let you do............ in basic terms.

skrux

... said roadmap. It could be added in the ZT window, or only accessible via CLI, or just a window that pops up to let us edit the local.conf file for zerotier. This would allow so many fast fail over options for zerotier that I would like to be able to use on RouterOS like I am able to do on my servers ...

danyrusdem

... interface=MGMT lease-time=1w30m name=dhcp3 /routing table add disabled=no fib name=ISP1_1G add disabled=no fib name=ISP2_100MB /zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\ zt1 name=zerotier1 network=xxxx /interface bridge ...

anav

... interface=MGMT lease-time=1w30m name=dhcp3 /routing table add disabled=no fib name=ISP1_1G add disabled=no fib name=ISP2_100MB /zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\ zt1 name=zerotier1 network=xxxx /interface bridge ...

fseesink

... Lens, LogSeq, NetBird, OBS, Obsidian, Rancher Desktop, Signal, Skype, Slack, Syncthing, Transmission, VSCode, VLC, VNC Viewer, VueScan, Wireshark, ZeroTier, and Zoom (and those are just some of the ones I skimmed in my list that I know are also cross-platform). They all properly show their version ...

brwainer

On this version I'm not getting any ARP responses from other routers within my Zerotier network. Downgrade to 7.16.2, same config works again. I also tried 7.18beta6, have the same problem. Full details of my issue, including the most minimal test config possible, ...

brwainer

I have much simpler zerotier configuration that works on 7.16.2 but fails on 7.17.2, on both a RB1100AHx4 and a hAP-AX3. The Zerotier interface comes up, the router shows as connected on my.zerotier.com, but ping, ARP, etc. all fail ...

poocman

... takes 80 ... Thank you for the very detailed answer. I will look into this approach. To put two PCs in the same L2 space did you consider trying zerotier? This option is not off the table, but I thought I would try it without a third party.

anav

To put two PCs in the same L2 space did you consider trying zerotier?

fctech2490

Anyone Does anyone have any updates regarding this issue? I’m adding another screenshot of the error from the logs to the post.

shalak

... name=monitoring policy=read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api /zerotier set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes identity=XYZ name=zt1 port=9993 ...

MikroTikMarc

... – Looking at the MikroTik RouterOS implementation of MSTP https://youtu.be/tU2OMDWJ2To Alessandro Campanella (1off) – the integration between ZeroTier and MikroTik https://youtu.be/0UzCAAf90LQ Jakub Rejzek – How we (co-)arranged the opening of the 60 GHz https://youtu.be/63ojN8PBRXA Leo De ...

anav

... ( port forwarding ) if at all possible. a. use wireguard to allow clients to connect to servers instead b. use CHR in cloud if need be c. use zerotier to connect users to servers IF stuck with port forwarding at least ensure you use source address list for each DSTNAT rule, ( users should ...

wrathrbflyn

... and successful or failed connections, I discovered the source of my difficulties. I needed to configure NAT for connections going to the Zerotier network from the hAP LAN, which I had failed to do. There is a default NAT entry for LAN connections going to the WAN interface list, but since ...

Larsa

... in and maybe a bit tricky to get a clear picture of. Here are a few things that might help clarify things: What exactly isn’t working? - Are all Zerotier peers unreachable from the LAN, or just some? - Can LAN devices ping any Zerotier IPs, or is all Zerotier traffic failing from the LAN side? ...

wrathrbflyn

I am attempting to troubleshoot a couple issues I am seeing in using Zerotier with rOS v7.17 where only some connections are passing as expected. A little background on my network configuration. I utilize multiple Zerotier networks for different purposes including ...

... automatically upgraded to 7.18.beta4 but other identical one complains about this: G01718@D4:01:C3:C1:8B:BE%*9 upgrade request failed, no file (zerotier-7.18beta4-arm64.npk) There is no zerotier on it or it was ever installed and both caps are 100% identical(reseted to cap mode via button) Confirmed ...

rules

Thanks Larsa, Zerotier looks quite interesting. I read through your Zerotier post just now and it does seem like it's more meant to be for WAN setups with a squishy internet centre though. My use case will be purely LAN. Would one ...

Larsa

... a mesh network with more than five nodes (10 tunnels), I highly recommend looking into a mesh network solution (often called SD-WAN), like Zerotier, which is included in ROS and automatically manages internal routing—i.e., no need for OSPF or BGP. Zerotier is extremely easy to install and ...

bpwl

So via Zerotier I should be able to configure access from Internet to my Docker or Server via XXXX port? Eg. eventually become P2P Active user share? Total beginner with Zerotier , while looking for a P2P VPN service. Most public ...

guipoletto

[/quote] One might wonder about zerotier as well - it can be a handy way to exploit compromised devices [/quote] Why not drink the whole kool-aid and advocate for airgapped networks, the most secure form of network? or maybe only allow local ...

pe1chl

But zerotier has an associated device-mode flag!

nmt1900

... of some features, I don't understand why leave enabled socks feature which was previously exploited on vulnerable devices One might wonder about zerotier as well - it can be a handy way to exploit compromised devices

fctech2490

Hello everyone, I’m having issues when trying to run the ZeroTier container in my environment. Currently, I’m running a CHR on **VMware ESXi 8.0 Update 2**, and I installed the CHR by downloading the OVA file from the official **MikroTik** website. When ...

There is no zerotier on it or it was ever installed and both caps are 100% identical(reseted to cap mode via button) I have never seen all these packages. AFAIK it shouldn't be there. Could it be that the CAP requires a reboot? ...

erlinden

There is no zerotier on it or it was ever installed and both caps are 100% identical(reseted to cap mode via button) I have never seen all these packages. AFAIK it shouldn't be there. Could it be that the CAP requires a reboot? ...

ivicask

... automatically upgraded to 7.18.beta4 but other identical one complains about this: G01718@D4:01:C3:C1:8B:BE%*9 upgrade request failed, no file (zerotier-7.18beta4-arm64.npk) There is no zerotier on it or it was ever installed and both caps are 100% identical(reseted to cap mode via button)

anav

Perhaps turning off electrical power to NY state just before superbowl starts would send the right message LOL. But I agree, there are some EU funny rules that are not so easy to overcome, but hey, anything is better than orange farts. By the way, who blinked first game seems to have started one mon...

Amm0

Perhaps if we joined the EU..................... My question is how that work with frequency bands... Currently, Canada largely the FCC rules. For Wi-Fi, that likely better. For 5G/LTE with Mikrotik, you may be better off with EU rules... That lovely hAPaxLite-LTE6 is quite affordable but worthless...

Larsa

Haha, Anav, I see you're out here securing your files and your finances at the same time! 😂 Maybe if we tweak that command a bit: # chmod +Money Boom! Instant economic growth! 💰💸 As for joining the EU... yeah, I think Canada prefers its maple syrup debts over Mediterranean siestas. But hey, if your ...

anav

Larsa, are you trying to talk sexy at me "# chmod +r *". ?? Sounds like, if was to guess, some linux NAS command to ensure read only LOL. Ammo, sounds like too much recent smoke inhalation has impaired your judgment of what I am able to accomplish ( or my budget ). I am starting a go fund ...

Larsa

@anav - If I were you, I'd ditch the self-hosted controller and just use the cloud-based one (my.zerotier.com). Regarding your files, just: "# chmod +r *". Fixed!

Amm0

... application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc. Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files.......... For ...

anav

... application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc. Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files..........

Amm0

... with strings. I do suspect the CLI-only-ness of the controller substantially limits its usage on RouterOS. That, and the applications of /zerotier/controller are not well described in docs (i.e. using ZeroTier "roots" for hole-punching, but you can mange the users on RouterOS ...

Larsa

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually.

Way too complex, so I don’t think so. But you can add your own web-based manager: ZeroUI.

Larsa

Just highlight, once again, an grip of mine is the Mikrotik's ZT client does not support low-bandwidth, bonding, etc. as a "full" ZT client on PC/Mac does. And these restrictions still come in when using the controller, as traffic will go via the interface, not controller. Yeah, unfortuna...

anav

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually. Will stick to non-self-controller option especially since the benefit is tied to using a third party git program which also has to be loaded onto docker??

Larsa

... still a bit limited when it comes to running fully autonomous operations since ROS doesn't let you configure root servers. But with your own ZeroTier controller and ZeroUI , you not only get a slick web interface, but you also have full control over network rules, authentication, API access, ...

Amm0

... be "required". The big difference between WG config is that instead of the various keys and network needing to match like in WG... With ZeroTier (including your own controller) all the "client"/peers needs to know is the ONE /zerotier/controller's network= value. Unlike WG, ...

NA9D

The ZT servers are still in use. The docs mention this: A common misunderstanding is to conflate network controllers with root servers (planet and moons). Root servers are connection facilitators that operate at the VL1 level. Network controllers are configuration managers and certificate authoritie...

anav

Okay I had to read the docs to understand the use of the word controller. It would seem one can 'bypas' the zerotier site for setup and do it mostly on the mikrotik device. Does this mean one is still using zerotier servers? How is information protected/encrypted using the controller? ...

anav

... just your servers c. if you dont have a public IP rent a cloud server and get a CHR license and have people VPN through the CHR. d. consider using zerotier to provide access to your servers......

Larsa

I completely agree, especially regarding the steps to establish a good baseline. All major players like as Cisco, Juniper, and others, provide clear guidelines for the initial setup. I mean, how hard can it be? ;) Regarding the handbook (I assume you're referring to a user guide), it's a great idea....

lurker888

Personally, I think it's better to set ip-address, so the router gets a fixed address & docs should discuss and show using ip-address - your setting up a NEW network and RouterOS is likely to be the default route so example should set it to .1. But, as technical point, their instructions as-is ...

Amm0

/zerotier/controller # as array set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1") # or as string set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1" # both forms work - so routes US military ...

Amm0

... comment to close together. So maybe why folks see some oddities there. :global ztcontroller do={ :if ($1 = "make") do={ :put "check zerotier instance 'zt1' is enabled" /zerotier :if ([:len [/zerotier/find]] != 1) do={:error "error - zerotier instance is not enabled"} ...

lurker888

First of all - thanks for the tip on opening the port on the router. Open on the WAN side - yes? Yeah. Well, actually I mean from everywhere, so in the input chain without additional filters. (The reason being that it's not uncommon to have a zt connection from inside your own network. In this case...

NA9D

First of all - thanks for the tip on opening the port on the router. Open on the WAN side - yes?

I just tried it again this time w/o entering the address and yeah, it worked - assigned an IP. OK. I have no idea where the cockpit error was. Oh well.

lurker888

Just an unrelated note: If you have a routable WAN address (even if dynamic), you should open port 9993/udp for the ZeroTier service. This enables other clients on the network (even if they are behind NAT) to make a direct connection and not have to use relays. You should especially ...

NA9D

OK. Strange. I'll try creating another network and seeing if I can duplicate my problem...

lurker888

... your explanation is off. (Using the same config.) If I delete the member, rejoin, and don't give it an explicit IP address assignment, I get: > /zerotier/controller/member/print Flags: A - AUTHORIZED Columns: NETWORK, ZT-ADDRESS, IP-ADDRESS # NETWORK ZT-ADDRESS IP-ADDRESS 0 A tst 23221c3302 172.30.30.100 ...

NA9D

HEY! That worked!!!! WOOT! Lurker888 thank you once again. And thanks to the others here as well. Looks like the key is that if you specify additional routes with a gateway address, you MUST assign that gateway address to whatever member is functioning as the gateway - it takes a static assignment. ...

lurker888

DHCP in never used in ZT. It is explicitly filtered in all ZT networks. (It's part of the "source" distribution for all zt clients. The desginers thought that it would be a security threat when joining networks run by people you don't really trust. Many people use ZT to for example run Min...

NA9D

Wait a minute... Looking at your entries: /zerotier/controller/set 0 private=yes ip-range=172.30.30.100-172.30.30.100 routes=172.30.30.0/24,0.0.0.0/0@172.30.30.1 /zerotier/controller/member/set 0 authorized=yes ip-address=172.30.30.1 You set the ...

NA9D

Hmm.

OK. Interesting...I'll try it again...

Could it be that since you are specifying a specific gateway IP address in the ZeroTier subnet that the router doesn't do a DHCP assignment but instead is expecting a fixed IP?

lurker888

For me everything works just fine. Commands: /zerotier/controller/set 0 private=yes ip-range=172.30.30.100-172.30.30.100 routes=172.30.30.0/24,0.0.0.0/0@172.30.30.1 /zerotier/controller/member/set 0 authorized=yes ip-address=172.30.30.1 Afterwards: ...

NA9D

/zerotier/controller # as array set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1") # or as string set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1" # both forms work - so routes US military ...

Amm0

... do resolve a classFULL shortcut as prefix, just like everywhere else in CLI, but boy some typo in an classless IP most folks won't expect it: /zerotier/controller # as array set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1") # or as string set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1" ...

NA9D

Well, that "client' is the router itself. My point is that when the extra routes are added, an IP address is never assigned. I'm happy to try it all over again for the tenth time. The IP address is assigned rapidly when using the example setup. So I don't think that it is taking a while.

lurker888

After authorization, you should see an ip address being assigned in the controller/member area. I don't know how frequently the client tries to reconnect; maybe you should try disabling/enabling the zt interface. EDIT: And in case you're adding this member as a gw of a route, you really would want t...

NA9D

... So yes. Here is it access denied. Now you go and list the members under the controller and then authorize the correct one.. [admin@MikroTik] /zerotier> controller/member/print Columns: NETWORK, ZT-ADDRESS # NETWORK ZT-ADDRESS 0 ZT-NA9D 5fb30d356d [admin@MikroTik] /zerotier> controller/member/set ...

lurker888

... some of the typos in the terminal session! In this case I demand that you smash one of our fingers with a claw hammer mob-style. [admin@MikroTik] /zerotier> interface/print interval=1 Columns: NAME, MAC-ADDRESS, NETWORK, STATUS # NAME MAC-ADDRESS NETWORK STATUS 0 NA9DNET 46:92:71:60:00:60 5fb30d356dc2cd47 ...

NA9D

... some of the typos in the terminal session! In this case, I tried to add a global 0.0.0.0/0 route to the 172.27.10.11 address. [admin@MikroTik] /zerotier> controller/add name=ZT-NA9D instance=zt1 ip-range=172.27.10.10-172.17.10.20 private=yes routes=172.27.10.0/24,0.0.0.0/0@172.27.10.11 [admin@MikroTik] ...

NA9D

I have followed the tutorial exactly. When I enter the steps exactly like they say and with the route example they use (and I've tried it with multiple different IP subnets) things work fine and the instance of the router is given an IP address. It's when I try to add the extra routes that I get zer...

lurker888

The guys at Mikrotik are various levels of user friendliness :-). The given example is one such. Actually it is exact and not in the least vague. The given syntax in given in the so-called Backus-Naur form. (https://en.wikipedia.org/wiki/Backus%E2%80%93Naur_form) I've used the controller and it work...

NA9D

When I set the config up like that, I don't get an IP Address assigned to the router's ZT client. Nothing gets assigned. I assumed I was doing something wrong. As far as forwarding between subnets - not sure. I've got multiple subnets on the router already. I don't have an issue with those or when u...

Amm0

Check out multicast UDP in the rules engine: https://docs.zerotier.com/rules/ I think the default rule do allow multicast, so if it's not your rules.... If RouterOS is bridging ZT interface to LAN, then you need to set "Allow Bridging" on the ...

Larsa

... get is: routes (IP@GW; Default: ) Push routes in the following format: Routes ::= Route[,Routes] Route ::= Dst[@Gw] Let's say 172.27.27.11 is the ZeroTier address of the node that acts as the gateway to your LAN 192.168.0.0/23 . Then you should write it exactly the way you did earlier ie ' routes ...

tdabasinskas

... fetch: yes pptp: yes l2tp: yes bandwidth-test: yes traffic-gen: no sniffer: yes ipsec: yes romon: yes proxy: yes hotspot: yes smb: yes email: yes zerotier: yes container: yes install-any-version: no partitions: no routerboard: no attempt-count: 0 Any advice?

NA9D

Hey all, I'm experimenting with Zerotier and have been following the steps listed in the documentation at: https://help.mikrotik.com/docs/spaces/ROS/pages/83755083/ZeroTier#ZeroTier-Controller I've successfully created a Zerotier connection ...

NA9D

Cool! Thanks! I'll check it out.

Larsa

Check out multicast UDP in the rules engine: https://docs.zerotier.com/rules/

NA9D

Hey all, I am looking for a way to send multicast UDP traffic over a remote VPN connection. From what I have looked at Zerotier provides this functionality. I've have Zerotier installed on my router. I have it on my phone. I've successfully made a connection into my LAN, can ping ...

Search found 3048 matches: zerotier