Accessing device management interface over ZT network

brian.endres · August 15, 2022, 4:34pm

We are trying to move our remote management access/vpn to Zerotier. I have created a ZT network, joined our office Mikrotik router to the network and setup all of the managed routes in ZT Central. From a remote machine joined to the ZT network I can ping all of our Cambium gear, I can SSH into our Cambium gear, but if I try to access the web interface it times out and packet captures show out of order packets. we have some UBNT backhauls that I have no problem accessing their web UI and I can access our Netonix switches with no issues.

we have about 150 Cambium Epmp APs and SM’s and they all seem to suffer from this same thing. Does anyone have any ideas as to what might be going on here?

zt-travis · August 15, 2022, 6:12pm

Hello. That’s strange. Are you getting “direct” connections to the Cambium devices?
sudo zerotier-cli peers

brian.endres · August 15, 2022, 6:32pm

@zt-travis I am not 100% sure where I am supposed to check that. I am running ZeroTier on a Mikrotik router connected to our network and a Windows PC as the remote computer.

zt-travis · August 15, 2022, 6:40pm

https://zerotier.atlassian.net/wiki/spaces/SD/pages/29065282/Command+Line+Interface+zerotier-cli

This will help with Windows. Not sure how to get into a cli on mikrotik. They might just have the info available on one of the web ui pages.

brian.endres · August 15, 2022, 7:04pm

the cli is showing a direct peer to my Mikrotik router from my windows PC. The mikrotik Zerotier-CLI does not seem to show if peers are direct or not.

brian.endres · August 15, 2022, 8:08pm

UPDATE
I just setup wireguard VPN and everything is working as expected.

I would really like to use ZeroTier is the setup for our remote people would be much easier for me to manage.

zt-travis · August 16, 2022, 4:23pm

OK. Great. That means it’s direct in the other direction too.

We’ve seen similar reports with some http servers, but haven’t really been able to reproduce.

github.com/zerotier/ZeroTierOne

Reproduceable - HTTP Previous segment not captured followed by TCP Dup Ack and TCP Out-Of-Order

opened 02:01PM - 27 Jun 21 UTC

raszuk

Type: Bug

Noticed using zabbix over ZT that every graph or screen refresh is slower then n…ative or IPSec ... Looked deeper and see in wireshark regular every refresh request bunch of TCP Dup Acks and TCP Out-of-Order followed each time by HTTP reporting "TCP Previous segment not captured". My first guess was this was Win10 driver issue ... Zabbix is working on Ubuntu. So I tried to setup another ubuntu locally and test it as NAT router to eliminate any Windows - well the issue is even worse going via extra hop. I also setup IPSec VPN between Win10 and Zabbix network and works clean ... zero errors. I still like ZT hence trying to see if anyone else seen this or have some hints on the cause. Captured issue attached. Thx ! ![zt_previous_segment_not_captured](https://user-images.githubusercontent.com/1081104/123547358-bfd26100-d760-11eb-9a3a-077f1e8f54d0.png)

The mikrotik zerotier service is heavily modified by mikrotik, so I’m not sure how relevant.

Is zerotier using all of the cpu on the router? Can you rate limit the zerotier interface? just some guesses.

brian.endres · August 16, 2022, 6:30pm

CPU usage is sitting at 0%. I am not seeing a way to rate limit the interface. Could the issue be caused by the compression? I don’t see a way to disable that either.

system · September 15, 2022, 6:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.