Community discussions

MikroTik App
 
OKNET
Member
Member
Topic Author
Posts: 353
Joined: Mon Jun 22, 2015 9:22 am

Zerotier not working

Sun Mar 19, 2023 12:59 pm

I followed this guide :

https://help.mikrotik.com/docs/display/ROS/ZeroTier

as well as Normis video.

It looks straightforward , anyway after both rOS(7.8 ) and iPhone are up and authorized on my zerotier page, I see no dynamic IP address released to MT zerotier interface
I placed the two zerotier accept rules at top of firewall but traffic on these two rules is stuck on 0
Meanwhile, I have 20 l2tp/ipsec and 1 GRE/ipsec connections running fine.

Any suggestion ?
 
OKNET
Member
Member
Topic Author
Posts: 353
Joined: Mon Jun 22, 2015 9:22 am

Re: Zerotier not working [solved]

Sun Mar 19, 2023 1:10 pm

Well, adding "allow-managed=yes" to zerotier interface makes it to have the ip address assigned and work !

It is not documented anywhere.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Zerotier not working

Sun Mar 19, 2023 2:18 pm

https://help.mikrotik.com/docs/display/ROS/ZeroTier does describe the "allow-managed" parameter as a yes/no to "ZeroTier managed IP addresses and routes are assigned.". However it is unclear what the default value is from the docs...

And..."allow-managed" previously defaulted to be =yes (enabled). But in recent versions, at least v7.8, it's disabled by default.

So the doc's "Step 4" in the examples become WRONG since you need an "allow-managed=yes" as a result of the default change.

Basically if you're going to be bridging the "zerotier1" interface using /interface/bridge, then you would NOT want an IP address assigned automatically, thus "allow-managed=no" – it will get it's IP from the bridge and you want my.zerotier.com to use the bridge's IP range in this case (and check the "Allow bridging" in ZT central for the RouterOS "member" of the ZT network).

But if you're using it for remote management, or layer 3 routing, you WANT the "Allow Managed" box checked (=yes).
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Zerotier not working

Sun Mar 19, 2023 2:29 pm

@OKNET, I wrote up some notes from my testing of ZeroTier a little bit ago into a long forum posting here:
viewtopic.php?t=183424&hilit=zerotier

I can't promise it's 100% right currently, but does have a lot of background on how ZT works on RouterOS, at least from my observations/testing.
 
OKNET
Member
Member
Topic Author
Posts: 353
Joined: Mon Jun 22, 2015 9:22 am

Re: Zerotier not working

Sun Mar 19, 2023 4:19 pm

Wow, a lot to be read :)
As said , I'm absolutely new to Zerotier, does bridging allow L2 bridge between Zerotier rOS members ??
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Zerotier not working

Sun Mar 19, 2023 5:33 pm

Yes. Bridging L2 actually pretty simple. And if you do bridge, you do NOT want "allow-managed=yes", since you put the zerotier1 interface as bridge port member & presumably the bridge (or VLAN and PVID) already have IP network.

The TL;DR for bridging is on the ZeroTier client side (e.g. iPhone, desktops, etc.), the IP assigned to ZT client and routes do NOT come from the DHCP server on the bridge – they come what's configured in my.zerotier.com. So inside the network configuration at the ZeroTier side, you need to change all the IP address and routes to use what on the Mikrotik end of the bridge.

Assuming you have account and create a new ZeroTier network for this (don't want to break whatever you have ;).

On the Mikrotik side,
- create a new ZeroTier interface on the Mikrotik side for the new network, and join it the new network's ID, leave the allow-managed uncheck/=off
- add it to the main bridge as port (or assign a PVID if you using vlan-filtering=yes).
- in /ip/pool, check the Mikrotik DHCP assignment range to 192.168.88.100-192.168.88.254
- do not set any IP on the zerotier interface & no firewall rules should be required – you're bridging.

On the ZeroTier network admin page, assuming default Mikrotik config (adjust as needed for bridge/VLAN your bridging)
- remove all routes and add one for 192.168.88.0/24 to 192.168.88.1 (adjust as needed)
- use Advanced for IPv4 auto-assignment, then set that to 192.168.88.10 to 192.168.88.99
- authorize the Mikrotik under member by check the box under "Auth?"
- hit the wrench icon next to the RouterOS device... check "enable bridging" and uncheck "auto assign IP" on my.zerotier.com.
- add any other client, and authorize them, but do NOT change any of the "wrench" settings – they do NOT need the "enable brining" (since the client is more of an "edge" in bridging terms, it does NOT need this setting).

If you wanted all of the client's internet traffic tunneled, you need to add a 0.0.0.0/0 route to 192.168.88.1 in the ZeroTier network page. But this will ONLY take effect if the client device (e.g. desktop/iPhone/etc), checks the "Allow Default Route Override".

Lastly, on the Mikrotik, there is the "zt1" instance – this is what does all the tunneling/peer discovery/etc. So it's "Interfaces" selection is important. By default it's "all" & this should work fine in nearly all cases. BUT, it does create a lot of connections through the firewall since ZeroTier is always trying to discovery peers. So in generally using "WAN" may be useful. Conversely, if you do have multiple RouterOS devices using ZeroTier, all be a better choices. Or customizing an interface list with the place ZeroTier should be doing its path discovery.

Hope that helps. I've been meaning to update that doc, but it's long & every hopeful Mikrotik will invest time in improving THEIR documentation overall...
 
OKNET
Member
Member
Topic Author
Posts: 353
Joined: Mon Jun 22, 2015 9:22 am

Re: Zerotier not working

Sun Mar 19, 2023 6:28 pm

Great !
In short, Zerotier bridging simply creates "wires" between your rOS devices as if it were a switch....
Thanks for example.
Is perhaps possible to bridge two MT devices Zerotier interfaces without assign an IP address to central controller but only on MT side ? A simple unnumbered L2 tunnel ?

Who is online

Users browsing this forum: No registered users and 101 guests