Community discussions

MikroTik App
 
HansHinnekint
just joined
Topic Author
Posts: 10
Joined: Wed Feb 17, 2016 7:40 am

Zerotier Site to Site LAN issue

Mon Jan 23, 2023 1:22 pm

Hello,
I'm using v7.7 on a RB5009 (arm64) device.
I have successfully configured the device in Zerotier, and can remotely manage the RB5009 with it's Zerotire IP address from a Zerotier joined device.

The Issue I face is that from a Zerotier joined device, I can not reach a device on the LAN side of the RB5009.
this is the output of /ip/route/print

Flags: D - DYNAMIC; A - ACTIVE; c, d, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.118.1 1
DAv 10.128.0.0/24 192.168.42.1 1
DAv 10.128.32.0/24 192.168.42.2 1
DAc 10.128.64.0/24 Bridge_LAN 0
DAc 192.168.42.0/24 zerotier1 0
DAc 192.168.118.0/24 ether1_WAN 0

The LAN side is here 10.128.64.0/24, the IP of the rb5009 on Zerotier is 192.168.42.3.

A tracert from the Zerotier client (192.168.42.124) to the the LAN client (10.128.64.250) show this:
Tracing route to 10.128.64.250 over a maximum of 30 hops

1 24 ms 26 ms 36 ms 192.168.42.3
2 * * * Request timed out.

A tracert from the LAN client (10.128.64.250) to the Zerotier client (192.168.42.124) show this:
Tracing route to 10.128.64.250 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 10.128.64.1
2 * * * Request timed out.

All firewall rules are disabled

Any Insight would be appreciated.

Kind regards,

Hans
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 1:37 pm

Did you effectively add a route in the ZeroTier admin-panel ?
So something like

10.128.64.0/24 via 192.168.42.3

I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
 
Rox169
Member
Member
Posts: 433
Joined: Sat Sep 04, 2021 1:47 am

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 1:44 pm

Did you effectively add a route in the ZeroTier admin-panel ?
So something like

10.128.64.0/24 via 192.168.42.3

I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
and you have to do the same in ZT web....
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 2:42 pm

Did you effectively add a route in the ZeroTier admin-panel ?
So something like

10.128.64.0/24 via 192.168.42.3

I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
and you have to do the same in ZT web....
Yes I mean just that in this case, on the my.zerotier.com portal make sure you add it (too).
On my setup, with 2 routers connected to ZeroTier you might need to add some statics too.
I have a /24 which is behind my RB3011 and I've added it as a static-route on my RB5009 also. It points (as a next hop) to the ZeroTier interface of my RB3011
 
HansHinnekint
just joined
Topic Author
Posts: 10
Joined: Wed Feb 17, 2016 7:40 am

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 3:33 pm

Hi,
Yes, on the Zerotier I have these: Managed Routes:
10.128.0.0/24 via 192.168.42.1
10.128.32.0/24 via 192.168.42.2
10.128.64.0/24 via 192.168.42.3
192.168.42.0/24 (LAN)

When I remove them, they also disappear on the RB5009, so the route advertisement works.

When from the RB5009, I ping the Zerotier address 192.168.42.124 (client machine) this works, until I change the source address to 10.128.64.10 (free IP address in the LAN),
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 5:49 pm

As a test, could you add the "zerotier1" interface to the LAN interface LIST ?
Very weird that with all firewall-rules disabled (which should mean "allow any any") things don't seem to work in your setup.
 
HansHinnekint
just joined
Topic Author
Posts: 10
Joined: Wed Feb 17, 2016 7:40 am

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 8:37 pm

Hello,

I tried it, but this also does not make it work :(

I did a complete reset of the RB5009 and started from scratch. Still no luck :(

Kind regards,

Hans
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 9:14 pm

Perhaps you could torch/packet-capture on the RB5009 to see if packets destined for 10.128.64.0/24 are *effectively* arriving here ?
I fired up my (lab) installation to check on the rules.
Could you on the rb5009, create in the FORWARD chain a accept-rule that allows "in-interface" = BRIDGE and "out-interface" = zerotier1 ? (or zt1 depending how its called)
and also have a reverse rule, so "in-interface" = zerotier1 and "out-interface" = BRIDGE.

Start pinging from your remote ZeroTier-client the device behind the RB5009. Do you see these counters increase ??

I have a ping running from a PC -> MT1 -> ZEROTIER-FABRIC -> MT2 -> ESX-server and I'm seeing hits on both counters on the MT2 device serving the ESX-LAN.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: Zerotier Site to Site LAN issue

Mon Jan 23, 2023 10:31 pm

Just a curiosity, are you using winbox or terminal to configure zerotier?
It only works for me if I configure it from the terminal.
 
HansHinnekint
just joined
Topic Author
Posts: 10
Joined: Wed Feb 17, 2016 7:40 am

Re: Zerotier Site to Site LAN issue

Tue Jan 24, 2023 9:10 am

Hello

I tried both methods Winbox + terminal, both configure the Zerotier in the same way for me.
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Zerotier Site to Site LAN issue

Wed Jan 25, 2023 8:44 am

The Issue I face is that from a Zerotier joined device, I can not reach a device on the LAN side of the RB5009.
Are there any Windows devices among them?
Windows can block access from another network

Who is online

Users browsing this forum: FoxWhite, onnyloh and 50 guests