Issues with ZeroTier

Hello,

I need help from somebody more experienced than I am as I run out of ideas.

I have issues with access from VPN to router/dst-nated servers, it affects all services including ssh, I can connect to the server, but any command returning more data freeze (like htop or just ll, ls works). I tried ping and problem might be with MTU as smaller payload works, bigger than 1326b got timeout in both ways. Connection from the same network without VPN works fine. I am not aware of any recent change in configuration, change of behavior could be caused by update, but I cannot say as I didn’t use it on regular basis.

Problem is not with ZeroTier itself, I can access other routers within the same network and the same ZT configuration.
I tied access from more devices to exclude issues on client side. I tied ping, webgui and ssh.
When I add firewall rule to accept all on input chain, it works, but rule accepting all from VPN does not. When I add this global rule, it works even after deletion, probably until connection is tracked.

config.txt (9.6 KB)

I would guess ICMP Fragmentation needed is being blocked somewhere, any ideas?

The solution is to lower the MTU on zerotier central, using the API. I used 1280 and it solved the problem.

TOKEN="your_my.zerotier.one_api_token"
NETWORK_ID="your_network_id"
curl -X POST \
  -H "Authorization: token ${TOKEN}" \
  -d '{"config": {"mtu": 1280}}' \
  "https://my.zerotier.com/api/v1/network/${NETWORK_ID}" 

I've never tried, but you might be able to lower RouterOS's ZT interface's MTU as alternative to changing ZT central.