zerotier and firewall

Hello to all,

i need some help with zerotier and firewall. I have a hap ax2, with zerotier installed, behing isp router. Mikrotik is at dmz from isp router.

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=accept in-interface=zerotier1 log=no log-prefix=“”

2 chain=input action=accept in-interface=zerotier1 log=no log-prefix=“”

3 ;;; defconf: accept established,related,untracked
chain=input action=accept
connection-state=established,related,untracked log=no log-prefix=“”

4 ;;; block everything else
chain=input action=drop connection-state=invalid log=no log-prefix=“”

5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

6 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=“”

7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=“”

8 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked log=no log-prefix=“”

9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=“”



You can see that i have disable defconf: drop all not coming from LAN

The problem that it blocks my remote desktop connection thru zerotier( i want to use zerotier as vpn for rdp )

any suggestion to correct this issue? or better firewall rules for better security?

Add zerotier1 as a LAN interface in /interface/list/members?

Also the ZeroTier routes at my.zerotier.com need to include one for your LAN’s subnet 192.168.88.0/24 to the ZeroTier IP address of your router

In addtion to what Ammo wrote I recommend to use 192.168.88.0/23 in the ZeroTier Central menu “Manage Routes” as explained in the ZeroTier docs:

“Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection”

@Larsa, I’m not sure he’s bridging, but that be good to know… It’s curious that disabling firewall make it work, in theory the zerotier1/forward/accept should work.

Maybe a full export (/export file=zerotier-rdp.rsc) help. If you changed anything from default on the my.zerotier.com side, that be good to know.

Thanks for your answers! I add the zerotier interface to LAN interface and everything works! I have alreay added the router to zerotier cloud panel.


i thinks this "“Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection”

refers to that the most specific router is preffered?

I have one more question.

i have installed zerotier at mikrotik. Mikrotik lan is 192.168.88.0/24
i have a laptop with zerotier app installed and i want to rdp to 192.168.88.150/24(server at mikrotik lan)
BUT the laptop is connected to a home router, with dhcp range 192.168.88.0/24

is it safe to keep this settings, or is better to change the home router dhcp range to something else?

Thanks.

I don’t see any harm in putting zerotier in the LAN interface list. It disabling the !LAN drop firewall rule that’s unsafe. But you avoid that by putting zerotier1 in the LAN list.

Since you control who access the ZeroTier network via the “Members”, it’s not much different from a security POV than another Wi-Fi client on your LAN locally.