I wanted to set up a route to our office LAN to replace the OpenVPN system we are using. This seemed easy enough. I didn’t even mess with trying to create a real bridge, I just set up a node in the office and created routing rules on the appropriate firewalls/routers to direct traffic back and forth. Everything works great from my house.
In the office, though, it created some chaos. The route being pushed by ZeroTier overrode the existing routes to the LAN and resulted in systems that couldn’t use the network until a reboot.
I read that playing with netmasks may solve this, so instead of routing 10.151.0.0/16 over the ZeroTier gateway node, using 10.151.0.0/15 instead. And at first this seemed to work, but in the end it isn’t working well either.
Even stranger, and all our user systems are MacOS 10.14 Mojave, when they first boot and join the ZeroTier network, the managed routes are not being pushed down or implemented at all. That is why I thought the netmask thing was working, because they rebooted and kept internet access, but if they leave the ZeroTier network and re-join it, the routes get all messed up.
default is 10.151.0.1
10.151/16 is on en0
After I leave and re-join the network:
default is the ZeroTier gateway node ZT IP addr
10.150/15 is the ZT gateway node ZT IP addr
10.151/16 is en0
I don’t want the “default” route to be over the ZT network. And the 10.150/15 is how it shows up when I push the 10.151.0.0/15 route so as to not stomp on the 10.151.0.0/16 LAN route.
How can you get these to co-exist so you can have an “always-on” ZT path to your LAN and yet not mess up the LAN routing when you are in the building? Surely this has been done. Or do I have to move to some other approach like L2 bridging? But I rather like keeping the subnet separate so I can apply some filter rules on ZT traffic.
To be abundantly clear, the route I put in the ZeroTier web UI to push was 10.151.0.0/15 via the ZT gateway node ZT IP addr.