Basic Zerotier Question.

RouterOS Beginner Basics
1

I have a single device on a local subnet lets say 192.168.88.0/24 on an MT router and it needs to reach a device ( and vice versa ) on a separate router (non-mt, with SIM card) and both have natively zerotier, intuitively one should say, yes they can be connected. The subnet on the non-mt Router is 192.168.55.0/24

The twist what happens when this portable device is close to the MT router (think moored boat, or MotorHome) and can access the WIFI of the MT router.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Easy to pulls Sim Card such that there is no longer a zerotier connection on the non-mt router,

The non-mt router now has a private WAN address via the MT router aka its WANIP is now on the 192.168.88.0/24 subnet.
Since all traffic leaving the non-TM router will go out the 192.168.88.1 gateway, any traffic sent from .55 to a .88 address will work, as the router knows where that local subnet and device resides, so far so good.
Next, we ensure a route exists stating that for destination to .55 subnet, use as the gateway, the new LANIP of the non-MT router ( the WANIP of the non-MT router ).
Thus any traffic originating on 192.168.88.0/24 or return traffic heading to .55 subnet will go to the non-MT router.

Q. What happens when zerotier network is restablished.
Im assumsing that since the zerotier stuff works at layer 2, connecting the .55 and .88 subnets at (quasi level 2), will mean that the routing used for the wifi connection will BE IGNORED.

For example please confirm that any traffic from .88 heading to .55 with zerotier connected at both ends will IGNORE routing.

2

I could ask for a diagram :wink:

So let’s assume you ZT – correct if wrong:

  • You using my.zerotier.com as ZT controller (i.e. not running a local controller under /zerotier/controller on the Mikrotik)
  • Nothing in ZT is bridged, specifically:
  • no “member” (aka peer) has “bridging” check in the controller
  • ZT interface on RouterOS is a “standalone” interface, not a bridge port
  • Each ZT network has its own IP subnet too. Here we’ll call say it’s 172.22.22.0/24 (but it be whatever the my.zerotier.com network had set)
  • Mikrotik has ZT address 172.22.22.88
  • “Boat” has ZT address 172.22.22.55

And, the problem is you want 192.168.88.0/24 to always be routable, whether “Boat” is connected to LTE, or is docked near Mikrotik’s Wi-Fi. Similar in reverse.

Keep in mind ZeroTier still work find even if you connected to the Wi-Fi on the boat. ZeroTier should use a local tunnel over Wi-Fi and just work. By design, it should use a more direct path, which be Wi-Fi to establish the tunnel (still be tunneled however).

But to cover the case when boat ZT goes down but it’s docked on Mikrotik Wi-Fi… You still wanted routing between the networks, then it look something like this:

  1. The ZT network need to have these routes defined at my.zerotier.com. There is a routing section where you can add routes there. You’d need two defined on the ZT cloud-side:
    192.168.88.0/24 via 172.22.22.88
    192.168.55.0/24 via. 172.22.22.55

  2. On Mikrotik, Change ZeroTier “route distance”, i.e. /zerotier/set zt1 route-distance=9

  3. On Mikrotik, assign a DHCP reservation for the boat, so you know the 192.168.88.0/24 address it get (or assign it statically on boat side for the Mikrotik SSID). Let’s say it 192.168.88.55 (note: it is helpful if the ZT IP address (172.22.22.x) aligns with x in 192.168.x.1 subnet used as LAN)

  4. Add a route with “check-gateway” for when boat when on Wi-Fi, i.e. /ip/route dst-address=192.168.55.0/24 gateway=192.168.88.55 distance=1 check-gateway=ping

  5. If Mikrotik was in a default config, single LAN, then easiest is just add the “zerotier1” interface to the “LAN” interface list. But with custom firewall, you’d likely need to allow the desired 192.168.55.0/24 traffic. You would not want to use some interface matcher, since the 192.168.55.0 could come via ZT or Wi-Fi in this example. But it follow what ever firewall scheme used for VLANs/etc otherwise.

  6. On the remote router, to enable ZT-less operation, you should need to do anything since Mikrotik is already the gateway (i.e. no static route needed).

3

Okay so it sounds very doable. Its a bit better than trying it over wireguard as wireguard then trips over the routing issue, where zerotier does not.

4

To be honest, you shouldn’t have to do anything. ZT will tunnel use the Wi-Fi - since that have lower latency than LTE. It be over ZL1 tunnel, but still local. But if regular thing the boat/etc connects to Wi-Fi, a direct connection be better is main thing.

Just make sure those routes are set in the my.zerotier.com side. That’s the magic - those go to any ZT device that connects, without more config - kind like allowed-addresses= just easier since it just a plain route table. Basically whatever is in ZT my.zerotier.com “routes”, gets copied into the /ip/route when ZT connects, at the distance= set in the /zerotier “zt1” interance. (And… if zerotier interface is NOT running, the ZT added routes are removed from /ip/route on disconnect - why have the 192.168.55.0/24 route via wi-fi is handy, since that’s static)