Using DHCP server for ZeroTier network bridged with VLAN

RouterOS General
1

I’m using VLANs to segment my network. Some of the hosts connect to proper VLANs using dedicated WiFi, some using direct ethernet connection to mikrotik, and some via down-stream network devices (via hybrid and/or trunk ports).

Locally, everything works OK, but now I’d like to add a possibility to connect to one of the VLANs via ZeroTier. Basically, I’d like to bridge my guest VLAN with the ZeroTier network and I’d like for the ZeroTier clients to obtain IP addresses from my local guest network via DHCP server running on my mikrotik (192.168.1.0/24, VLAN ID 101).

Here is my VLAN configuration:

/interface bridge
add arp=proxy-arp name=BR1 protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=BR1 interface=ether4 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-main pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-guest pvid=101
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-not pvid=103
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=zerotier1 pvid=101
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3 untagged=wifi-main vlan-ids=100
add bridge=BR1 tagged=BR1,ether3,ether4 untagged=wifi-guest,zerotier1 vlan-ids=101
add bridge=BR1 tagged=BR1,ether3,ether4 vlan-ids=102
add bridge=BR1 tagged=BR1,ether3,ether4 untagged=wifi-not vlan-ids=103

/interface vlan
add interface=BR1 name=vlan-guest-101 vlan-id=101
add interface=BR1 name=vlan-main-100 vlan-id=100
add interface=BR1 name=vlan-not-103 vlan-id=103
add interface=BR1 name=vlan-service-102 vlan-id=102

IP configuration related to the VLAN 101 looks like this:

/ip address
add address=192.168.1.1/24 interface=vlan-guest-101 network=192.168.1.0

/ip dhcp-server
add address-pool=pool-guest-dhcp always-broadcast=yes interface=vlan-guest-101 name=dhcp-guest

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.128,192.168.1.1 gateway=192.168.1.1 netmask=24

/ip pool
add name=pool-guest-dhcp ranges=192.168.1.2-192.168.1.127

ZeroTier configuration:

/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" identity="<MY_IDENTITY_STRING>" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network="<ZEROTIER_NETWORK_ID"

Mikrotik and other ZeroTier clients are authorized in the ZeroTier network. Unfortunately, the clients are not getting the IP addresses from my DHCP server. In ZeroTier web interface, I have removed all Managed Routes and enabled the “Allow Ethernet Bridging” for mikrotik client.

What am I missing? Is this setup even possible?

2

ZeroTier clients don’t use DHCP to get addresses, they use the assignment from my.zerotier.com. You can always start some DHCP client (dh-client, etc) on the interface on something like Linux, but that’s is not possible with mobile (and more difficult on Windows/Mac). Client IP address are assigned by ZeroTier Central next to the device in “Members”.

You can manually assign clients an IP address in ZeroTier from your LAN range in one way. But you can also use auto-assignment on my.zerotier.com with the bridged LAN’s prefix. To do this, “split” the /ip/pool so that it doesn’t overlap with the auto-assignment in my.zerotier.com. e.g. on /ip/pool use 192.168.88.101-192.168.88.199 while in ZeroTier Central use 192.168.88.200-249 (or whatever split you want).

It’s important that you do NOT assign an IP address to the ZeroTier interface on the Mikrotik if it’s bridged. Its IP address comes from either the VLAN or bridge interface’s IP address.

For more detailed answer, see http://forum.mikrotik.com/t/zerotier-on-mikrotik-a-rosetta-stone-v7-1-1/155978/1 under “Use Case C

3

Thank you for the link! It’s extremely useful! The “Use Case C: Bridging a single LAN/VLAN to desktop/laptop using ZeroTier” covers my exact usecase.

In case someone stumbles upon this topic, here’s the tldr:

  • ZeroTier clients do not have DHCP clients, so it makes little sense to run DHCP server on one of the nodes
  • if your OS supports it, you can start DHCP client manully on the ZeroTier interface, so in theory it’s possible
  • but it’s better to simply use the ZeroTier client’s IP auto-management to kick in
  • in order to do it, the DHCP server on local LAN must not give away the whole IP pool of the network, some of it must be omitted, let’s say “reserved” for the remote (i.e. ZeroTier) clients
4

Thanks.

5