ZeroTier added to RouterOS v7.1rc2

rasimoes · September 8, 2021, 1:43pm

I still believe (and hope) that MikroTiks’s team will figure out a way for implementing HW accel. on (at least) ARM/ARM64 platforms. The AES-GMAC-SIV uses auth from AES-GCM and cipher from AES-CTR, both fully supported by ARM/ARM64 platforms.

syadnom · September 8, 2021, 2:55pm

zerotier should be faster than this, I expect this is just early implementation issues.

Chupaka · September 8, 2021, 3:20pm

Are we going to have ZeroTier for CHR?

syadnom · September 8, 2021, 3:25pm

they said moving forward it will be for all, so I presume so.

rodyeo · September 9, 2021, 2:07am

Dear Normis,

A big thank you for granting my long awaited wish for ZeroTierOne to be made available on MikroTik RouterOS hardware. I just wish RB750Gr3 and hAPac2 to be made available too if possible.

Else MikroTik could develope own version of similar function like ZeroTier or Reversed SSH function to enable remote access to MikroTik devices behind the NAT firewall.

Again many thanks genie for granting my wishes …

Thanks.

osc86 · September 9, 2021, 8:31am

@rodyeo I have zerotier running on my hapac2, it’s already working. The device is rebooting 5-6 times/day, but I think this is because of ROS7 and not the zerotier-addon package.

syadnom · September 9, 2021, 2:04pm

My hAPAC2 isn’t rebooting with zerotier. It does reboot for fq_codel or cake queues though, do you have those enabled?

parham · September 9, 2021, 8:05pm

FYI:
For people have route setup in ZT and also have OSPF or BGP running and don’t want to have the Route coming from ZT.

Step 1: disable ZT
zerotier/disable zt1

Step 2: disable the push route and IP:
zerotier/interface/set allow-managed=no zerotier1

Step 3: set the interface IP should be the same as set in ZT portal:
ip/address/add address=x.x.x.x/x interface=zerotier1

Step 4: enable the ZT:
zerotier/enable zt1

Now you can run your OSPF or BGP without
getting the route from ZT as when the ZT pushes the route the distance is set to 1.

Enjoy and Thanks to Mikrotik for adding ZT.
Parham

evince · September 10, 2021, 11:48am

Hi all,

I have installed zerotier package, configured it and all is running.

By the way I cannot see the “zerotier interface” under intercace list, only by cli.

If I check the address list, it is displayed “unknow” as interface but I do have an IP address and the tunnel is working.

Now I’m running v7.1rc3 release.

What’s wrong?

Thank you in advance,

normis · September 10, 2021, 11:59am

Zerotier is only in Command Line for now!

evince · September 10, 2021, 12:44pm

OK tank you Normis, but why under adresse liste it il showed unknow as interface ?

icsterm · September 11, 2021, 2:38am

Is there any way we can set the interface MTU for ZeroTier?

At first glance everything looks to work fine, but I would like to avoid all packet fragmentation if possible.

No CLI command looks to fit this purpose so far.

syadnom · September 11, 2021, 3:08am

No need or point doing this in zerotier because routeros can already do MTU, mru, and Mss clamping so you can already force Packet sizes down if you want. Changing the zt MTU wouldn’t actually help because MTU path discover would already pass or fail so you only need to handle situations that discovery fails. Zt itself already does it’s own MTU testing and already does a lot to encourage MTU discovery to work well.

bermudawardrobe · September 15, 2021, 6:18pm

You can block broadcast, multicast, and whatever else you want with the rules engine.
https://docs.zerotier.com/zerotier/rules

bermudawardrobe · September 15, 2021, 6:26pm

It is possible via the my.zerotier.com API or self-hosted controller API. It’s a controller/network setting. It’s not exposed in the my.zerotier UI. You might have to restart your clients or rejoin your networks. It’s almost never needed to change the MTU.

syadnom · September 15, 2021, 7:59pm

As was said above, this can all be filtered. The filter engine can match input and output on MAC, IP, or zerotier ID. ie, you can say "allow anything that is behind zt id 12345 to anything behind id 54321 on TCP port 80, deny everything else. That effectively blocks all layer2 from those two ID’s and allows only the TCP port. It’s a very flexable rules engine and it’s awesome to be able to filter on traditional MAC and IP but also on the zt ‘id’ as well.

slackR · September 16, 2021, 1:17pm

I second this! When will it be available for CHR?

Amm0 · September 16, 2021, 9:39pm

In ZeroTime no doubt. But that be a better place to test this than in hardware/ARM.

fissureneil · September 19, 2021, 3:25pm

Hi there, fairly new to Mikrotik, brand new to zerotier

interested in bridging between two 2 x mikrotik, across the Internet, with Zerotier (to temporarily bridge an existing IP network to a single device which has been moved elsewhere, but needs to remain on the same IP range, and able to communicate with its old LAN)

I updated 2 x RB450Gx4 to v7.1rc3, installed the zerotier npk

added:
/zerotier/interface> add network=xxxxxxxxx instance=zt1
/zerotier>enable zt1

to both

(I’m not sure if I should use something in place of zt1, on the 2nd device, eg zt2?)

both show online in the zerotier central web site

ticked the ‘bridge’ option on the zerotier central web site, and the 2 x mikrotik now see each other in: ip neighbor/ print

but I don’t think general IP traffic is being bridged across

what now?

I saw @sszbv say:
" How can I add the zerotier interface to a bridge?"
" nevermind, I just added it to a bridge via terminal "

but I don’t quite follow

thanks, Neil

Chupaka · September 19, 2021, 9:10pm

/interface/bridge/port/add bridge=your_bridge interface=zt1