Help Creating Seamless Access to my Devices

Hey, so I’m aware this question has been asked in some variation many times, but I’m still learning things and need extra help. I followed this guide to make an L3 network with my OpenWrt AP. My goal is to be able to ping local clients from a remote ZeroTier client using the local clients’ IP (192.168.1.X), and for local clients to ping a remote device with the Zerotier IP (172.28.28.X). So far I’m able to ping remote clients from any device on the local network, but I’m unable to ping local devices over Zerotier.

Here’s what my ZeroTier network looks like right now:

  • Managed routes: via LAN, via
  • IP Range: From to
  • Members

I’m not really sure where to go from here…

Seems like a pretty simple topology, but just to make sure.

  1. You have something like a phone connected to Zerotier, and you want to be able to talk between the phone and your LAN?
  2. You can talk when originating traffic from your LAN to ZeroTier hosts? (e.g. ping from something on
  3. You cannot talk when originating from your ZeroTier hosts to your LAN? (e.g. ping something on your network from

If all of that is accurate, this is likely just a firewall issue on OpenWRT. We would know this because your traffic works end to end from your LAN, meaning bidirectional traffic is working.

Assuming you have a ZeroTier and LAN zone, it’s you’re likely not allowing traffic originating from the ZeroTier zone to your LAN.

You are correct with your three assumptions. Though on line 137 of my /etc/config/firewall, it looks like my ZeroTier traffic (vpn) is getting sent to my LAN

Yep, you’re allowing traffic between zones, originated from either zone. What does your flow rules look like?

My flow rules are untouched:

Gotcha, that looks good as well. I was thinking you might be dropping “not chr ipauth”, which would also account for the behavior.

Sorry if you’ve already tried this, but can you just try pinging from the remote host?

Always good to check :slight_smile: (my router) is pingable, though (my HTPC, Win11) cannot be pinged.

And here’s me successfully pinging my phone from my HTPC:

Okay, that’s what I expected. So it’s likely a host level firewall on Win11. We can do a couple things. A quick and dirty way is to temporarily disable the firewall on your Windows box and see if the pings are then allowed through. Windows generally doesn’t allow packets outside of it’s subnet in unless there’s already state for the traffic.

We can also run tcpdump on your OpenWRT router to ensure the packet is leaving towards your LAN. Assuming your LAN interface is something like br0, you can run: “sudo tcpdump -i br0 net”.

If disabling the firewall temporarily allows the traffic through, then you’ll just need to allow a rule allowing traffic in (or only allow more specific traffic if desired).

Of course it was Windows… I wanna hit something.

Now, I’ll probably change my local range from 192.168.1.XXX to something a little more uncommon to avoid any errors while I’m out. Would I have to do anything other than changing my managed route in ZeroTier?

Nope, you nailed everything with the ZT and OpenWRT config. So you’d update your subnet and DHCP Pool on OpenWRT (plus any firewall rules if you’re calling anything in the subnet specifically). Then update the route under managed routes (you can preplace this if you want, it won’t hurt anything).

Alright. Thanks for all the help! Kudos

No problem, glad you got everything working!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.