Hello,
I’m using v7.7 on a RB5009 (arm64) device.
I have successfully configured the device in Zerotier, and can remotely manage the RB5009 with it’s Zerotire IP address from a Zerotier joined device.
The Issue I face is that from a Zerotier joined device, I can not reach a device on the LAN side of the RB5009.
this is the output of /ip/route/print
The LAN side is here 10.128.64.0/24, the IP of the rb5009 on Zerotier is 192.168.42.3.
A tracert from the Zerotier client (192.168.42.124) to the the LAN client (10.128.64.250) show this:
Tracing route to 10.128.64.250 over a maximum of 30 hops
1 24 ms 26 ms 36 ms 192.168.42.3
2 * * * Request timed out.
A tracert from the LAN client (10.128.64.250) to the Zerotier client (192.168.42.124) show this:
Tracing route to 10.128.64.250 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 10.128.64.1
2 * * * Request timed out.
Did you effectively add a route in the ZeroTier admin-panel ?
So something like
10.128.64.0/24 via 192.168.42.3
I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
Yes I mean just that in this case, on the my.zerotier.com portal make sure you add it (too).
On my setup, with 2 routers connected to ZeroTier you might need to add some statics too.
I have a /24 which is behind my RB3011 and I’ve added it as a static-route on my RB5009 also. It points (as a next hop) to the ZeroTier interface of my RB3011
Hi,
Yes, on the Zerotier I have these: Managed Routes:
10.128.0.0/24 via 192.168.42.1
10.128.32.0/24 via 192.168.42.2
10.128.64.0/24 via 192.168.42.3
192.168.42.0/24 (LAN)
When I remove them, they also disappear on the RB5009, so the route advertisement works.
When from the RB5009, I ping the Zerotier address 192.168.42.124 (client machine) this works, until I change the source address to 10.128.64.10 (free IP address in the LAN),
As a test, could you add the “zerotier1” interface to the LAN interface LIST ?
Very weird that with all firewall-rules disabled (which should mean “allow any any”) things don’t seem to work in your setup.
Perhaps you could torch/packet-capture on the RB5009 to see if packets destined for 10.128.64.0/24 are effectively arriving here ?
I fired up my (lab) installation to check on the rules.
Could you on the rb5009, create in the FORWARD chain a accept-rule that allows “in-interface” = BRIDGE and “out-interface” = zerotier1 ? (or zt1 depending how its called)
and also have a reverse rule, so “in-interface” = zerotier1 and “out-interface” = BRIDGE.
Start pinging from your remote ZeroTier-client the device behind the RB5009. Do you see these counters increase ??
I have a ping running from a PC → MT1 → ZEROTIER-FABRIC → MT2 → ESX-server and I’m seeing hits on both counters on the MT2 device serving the ESX-LAN.
