Zerotier container - can't ping from ZT client to internal lan devices

danielchagasrs · April 19, 2024, 12:37am

Hi.
I have a site to site vpn between a Hap AC3 (192.168.2.254/24) and a Mikrotik x86 + zerotier container (192.168.0.200/24 for mikrotik itself and 192.168.0.201 for container’s veth added to local bridge).

2 managed routes are created on my.zerotier.com:
192.168.2.0/23 => 192.168.32.254 (hap ac3 zt address)
192.168.0.0/23 => 192.168.32.201 (x86 container)

I can access from 0.x to 2.x, but can’t access FROM 2.x to 0.x… Tracert stops at 192.168.32.201, the Zerotier container… Container is blocking from zt->lan, but not lan->zt.
I tried putting the ENV settings (gateway mode = both), but that didn’t change nothing…

I had this same scenario, same settings, same addresses and all, working fine with an Openwrt VM and the same Hap Ac3…

Any thoughts??

Amm0 · April 19, 2024, 12:48am

Couple thoughts:

Did you put the VETH in LAN interface list (or address-list if using those)? e.g. firewall blocks !LAN by default
The Mikrotik ZT client will inject ZT routers to the router, but using a ZT container won’t… So you need a static route on CHR/X86 to the ZT network as Mikrotik routing is not going to know the ZT subnet.

Yes, I’d imagine you’d need “gateway” as both, but I’m not too familiar with the containerized ZT… Since you use the VETH IP as the static route for any ZT networks. For sure enabling logging in the container, as the logs may have a clue (and/or confirm the ENV are getting picked up correctly)

danielchagasrs · April 19, 2024, 11:03am

Hi. Veth IP is is the same subnet and in the same local/lan bridge as Mikrotik.
I can access the container’s IP from the lan hosts of 192.168.0.x and 192.168.2.X… But the container itself isn’t forwarding traffic from ZT to LAN…
External tracert stops on 192.168.0.201 (Veth/container IP address)…

danielchagasrs · April 19, 2024, 11:07am

I have the static routes, since I can access from Lan A (0.X) to 2.X)… But I can’t access the other way (2.X to 0.X, or ZT client to 0.X)

How can I check if the ENVs are working? I’m new in container stuff…

Amm0 · April 19, 2024, 12:07pm

As I said, I haven’t used the ZT container, so IDK.

So my suggestion was to make sure enabled Logging is checked on the /container for ZT, and the look at “/log print”. Alternatively, you might be able to access the shell of the container using /container/print then /container/shell XX where XX is the # of the ZT container shown in print.

The firewall on Mikrotik side seems more probable than something in the container.

Also on the CHR itself do you have a route in /ip/route for 192.168.2.0/23 to 192.168.0.201?

danielchagasrs · April 19, 2024, 4:39pm

I’m sure it’s not a mikrotik firewall rule. I disabled all rules and that made no difference.

ramin110 · April 22, 2024, 6:56am

hi, I have the same problem with accessing another zerotier device.

I can ping the docker zerotier ip but can’t ping the another device ip.
2024-04-22 10_25_49-Clipboard.png
2024-04-22 10_24_45-Clipboard.png

danielchagasrs · April 22, 2024, 11:54am

I gave up and deleted the container… I spent more than 8 hours doing tests with zt container, without success…

Then, I installed zerotier client on the windows host machine, enabled ip forward in regedit, rebooted, and adjusted the static route on the zerotier web console… It took less than 3 minutes, and it’s working fine.