I managed to get zerotier working prior…
But after like 15+ wipes of router i think i may have gotton my self locked up.
All but the mikrotik Routerboard RB3011UIAS-RM is connecting to zero tier even if i Run router WITHOUT ANY rules + Quickset rules.
Anyone mind helping advising me on the matter.. This i think is pure user error as i am trying to teach myself and doing “LABS” Running V717c2
Access contol is set to Private. on prior testing got it to access router last from Remote IP which was great.
You’d have to post your configuration as the defaults should work to allow ZL1 tunnels. But you might try downgrading to 7.16.2 to see if is in fact an issue in the 7.17rc…
When you wipe the router… are you upgrading the firewire in /system/routerboard? Did you use something like
“/system/reset-configuration keep-users=yes” to ensure the latest default configuration is applied?
It seems to have been a firmware issue…
I downgraded back to 7.16.2 it seems to have fixed my issue... via SYSTEM->PACKAGES
Only reason why i attempted new testing version is i see alot of fixes and changes applied lately which is great work from the team..
Atleast i been playing around quite a bit with firewalls so much more to learn. Trying to find my own unique way..
PEER NOT connecting
Full router wipe NO defaults 7.17rc3
Full router wipe 7.17rc3 with quick Set
Full router wipe NO defaults 7.17rc2
Full router wipe 7.17rc2 with quick Set
..
It’s the “failed” on the ZT instance that is pretty odd. It could be a bug since I believe they updated the ZeroTier version in 7.17… But I have 7.17rc3 running on several wAPacR and RB1100AHx4 and ZT seems fine, so dunno exactly.
You can also try to limit ZeroTier to just the upstream interface, so it does not search all interfaces for a path. In your screenshot you show “Interfaces: all”, but in most cases using “interface: WAN” avoid unnecessary traffic on LAN from ZeroTier (which will probe for paths). Especially if you trying “roll your own” firewall rules since the /ip/firewall/connection is often helpful in troubleshooting a firewall, but can quickly show a lot of ZT packets that test the network.
Personally, I think it’s best to modify the default firewall. There is a lot of subsilties to the firewall rules, so it quite tricky to get right… And each rule hit does add to a small amount to latency…
One thing to keep in mind is while “zerotier1” is in an interface available in firewall rules, which is the inner traffic of the ZT network. But the outer ZL1 tunnel created by the “zt1” instance is NOT an interface, so you cannot match ZeroTier’s outer tunnels directly in the firewall - but they can be blocked by the firewall since ports/IP are determined by ZT’s probing/nat-holepunching/etc so firewall can indirectly block them – which be one to get the “failed” state I think but since 7.16 works… that isn’t the whole story here.
Also, if same config works in 7.16, but does not work in 7.17… that be worth a ticket to support@mikrotik.com - ideally with a supout.rif for BOTH 7.16 and 7.17 since the supout.rif will have logs etc and your config for them.
