Hey, so I’m aware this question has been asked in some variation many times, but I’m still learning things and need extra help. I followed this guide to make an L3 network with my OpenWrt AP. My goal is to be able to ping local clients from a remote ZeroTier client using the local clients’ IP (192.168.1.X), and for local clients to ping a remote device with the Zerotier IP (172.28.28.X). So far I’m able to ping remote clients from any device on the local network, but I’m unable to ping local devices over Zerotier.
Here’s what my ZeroTier network looks like right now:
Managed routes: 172.28.28.0/24 via LAN, 192.168.1.0/24 via 172.28.28.1
Seems like a pretty simple topology, but just to make sure.
You have something like a phone connected to Zerotier, and you want to be able to talk between the phone and your LAN?
You can talk when originating traffic from your LAN to ZeroTier hosts? (e.g. ping 172.28.28.95 from something on 192.168.1.0/24)
You cannot talk when originating from your ZeroTier hosts to your LAN? (e.g. ping something on your 192.168.1.0/24 network from 172.28.28.95)
If all of that is accurate, this is likely just a firewall issue on OpenWRT. We would know this because your traffic works end to end from your LAN, meaning bidirectional traffic is working.
Assuming you have a ZeroTier and LAN zone, it’s you’re likely not allowing traffic originating from the ZeroTier zone to your LAN.
You are correct with your three assumptions. Though on line 137 of my /etc/config/firewall, it looks like my ZeroTier traffic (vpn) is getting sent to my LAN
Okay, that’s what I expected. So it’s likely a host level firewall on Win11. We can do a couple things. A quick and dirty way is to temporarily disable the firewall on your Windows box and see if the pings are then allowed through. Windows generally doesn’t allow packets outside of it’s subnet in unless there’s already state for the traffic.
We can also run tcpdump on your OpenWRT router to ensure the packet is leaving towards your LAN. Assuming your LAN interface is something like br0, you can run: “sudo tcpdump -i br0 net 172.28.28.0/24”.
If disabling the firewall temporarily allows the traffic through, then you’ll just need to allow a rule allowing 172.28.28.0/24 traffic in (or only allow more specific traffic if desired).
Now, I’ll probably change my local range from 192.168.1.XXX to something a little more uncommon to avoid any errors while I’m out. Would I have to do anything other than changing my managed route in ZeroTier?
Nope, you nailed everything with the ZT and OpenWRT config. So you’d update your subnet and DHCP Pool on OpenWRT (plus any firewall rules if you’re calling anything in the 192.168.1.0/24 subnet specifically). Then update the route under managed routes (you can preplace this if you want, it won’t hurt anything).