Dual wan: how I tell zerotier which one to use

I have a firewall with multi wan support (pfsense, opnsense).
Now I have several wans, the default one and others.
Zerotier goes on the default one.
I need a firewall rule to tell zerotier to use second wan.
With other vpn it is very easy, I tell firewall to redirect all traffic that goes to vpn server to second wan.
But with zerotier there is no “server” and no fixed port.
What can I do?

There is not really a way directly as the ports are random (9993 as the src/dest udp is usually attempted). However, this is what you can do:

  • Create a linux VM and add net.ipv4.ip_forward=1 to /etc/sysctl.conf, then reboot.
  • Create policy routing in pfsense for that specific vm to only use a certain wan interface instead of your gateway group. This will force that vm to connect only via a specific wan.
  • Join that linux vm to your zerotier networks
  • Create routes in pfsense to route the zerotier subnets to that vm. That VM will then route to whichever zerotier networks its connected to.
  • In the Zerotier controller, add routes to all subnets pfsense handles to route to the zerotier vm that you need accessible from zerotier.

This is how I use zerotier without needing to load zerotier to each device at each site. I just have 1 device that acts as a routing endpoint. Any devices on my network can talk to remote zerotier devices and vice versa. I also have rules set up that limit which device can access what.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.