Community discussions

MikroTik App
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Zerotier and VRF

Thu Mar 31, 2022 2:39 pm

Hi!

my goal is to have a rb5009, which can be connected to any internet connection (it just needs to be provided an IP via DHCP). The rb5009 establishes a Zerotier connection to the other routers in the same Zerotier network and route clients behind it through it. That's easy, now the more complicated stuff, I want to route networks via Zerotier that are maybe overlapping the subnet the rb5009 is connected to the internet.

e.g. the router of the Internet (not under my control) uses 10.0.0.0/24 - and I want to route 10.0.0.0/16 via Zerotier, which will not work as 10.0.0.0/24 is more specific and so traffic to that subnet will be routed locally. I can now configure a VRF for the Zerotier interface and the Client interface, so the client traffic go the correct route. But that does not help if my rb5009 wants to connect to a server (e.g. dns, syslog, dhcp, snmp traps, ....) or the other way around I want to ssh into the router or query it via snmp from a network which is overlapping that local network.

What I want to do is to configure the router in a way that Zerotier/Internet is not in the default/main VRF - but I don't see a way to do it. What I'm missing? What are possible solutions/workarounds?

Thx for your help!

Regards,
Robert
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: Zerotier and VRF

Sun Apr 10, 2022 8:55 pm

No one has an idea? I don't understand that, is that not a classic usecase for zerotier? Put a router anywhere, and it works even on overlapping subnets.
 
vaizki
newbie
Posts: 32
Joined: Wed Mar 23, 2011 3:44 pm
Location: Finland

Re: Zerotier and VRF

Thu Apr 28, 2022 2:22 pm

I don't have a zerotier capable (arm) lab router so can't try it..

I have done this with WireGuard though..

Create a wireguard instance (wg0), then create a VRF and put wg0 in it.

Wireguard will still listen for connections on the main routing table even if the instance is in the VRF and I can run iBGP over WG fine with IPs overlapping main routing table.

I know WG != ZT but maybe it can work like this as well?
 
robertpenz
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: Zerotier and VRF

Thu Apr 28, 2022 2:32 pm

that's correct as far as I know, but the problem is that if you'll try e.g. a SNMP query to the mikrotik via wireguard/zerotier from an IP that's in the subnet the router uses to connect to the internet it does not work - you can't bind the snmpd (and other services to a VRF). As one use case is that we provide the customer with a setup which he can plug into any network, it just needs dhcp and internet connection to get it to work, we've no control over the subnet he uses.

e.g. we use 10.10.0.0/24 for our managed server and by luck it's the same subnet he connected to Mikrotik into, we're not able to manage the system via wireguard/zerotier.

Who is online

Users browsing this forum: Bing [Bot] and 20 guests