Hey, so I’m aware this question has been asked in some variation many times, but I’m still learning things and need extra help. I followed this guide to make an L3 network with my OpenWrt AP. My goal is to be able to ping local clients from a remote ZeroTier client using the local clients’ IP (192.168.1.X), and for local clients to ping a remote device with the Zerotier IP (172.28.28.X). So far I’m able to ping remote clients from any device on the local network, but I’m unable to ping local devices over Zerotier.
Here’s what my ZeroTier network looks like right now:
- Managed routes: 172.28.28.0/24 via LAN, 192.168.1.0/24 via 172.28.28.1
- IP Range: From 172.28.28.1 to 172.28.28.255
I’m not really sure where to go from here…
Seems like a pretty simple topology, but just to make sure.
- You have something like a phone connected to Zerotier, and you want to be able to talk between the phone and your LAN?
- You can talk when originating traffic from your LAN to ZeroTier hosts? (e.g. ping 172.28.28.95 from something on 192.168.1.0/24)
- You cannot talk when originating from your ZeroTier hosts to your LAN? (e.g. ping something on your 192.168.1.0/24 network from 172.28.28.95)
If all of that is accurate, this is likely just a firewall issue on OpenWRT. We would know this because your traffic works end to end from your LAN, meaning bidirectional traffic is working.
Assuming you have a ZeroTier and LAN zone, it’s you’re likely not allowing traffic originating from the ZeroTier zone to your LAN.
You are correct with your three assumptions. Though on line 137 of my
/etc/config/firewall, it looks like my ZeroTier traffic (vpn) is getting sent to my LAN
Yep, you’re allowing traffic between zones, originated from either zone. What does your flow rules look like?
My flow rules are untouched:
Gotcha, that looks good as well. I was thinking you might be dropping “not chr ipauth”, which would also account for the behavior.
Sorry if you’ve already tried this, but can you just try pinging 192.168.1.1 from the remote host?
Always good to check
192.168.1.1 (my router) is pingable, though 192.168.1.111 (my HTPC, Win11) cannot be pinged.
And here’s me successfully pinging my phone from my HTPC:
Okay, that’s what I expected. So it’s likely a host level firewall on Win11. We can do a couple things. A quick and dirty way is to temporarily disable the firewall on your Windows box and see if the pings are then allowed through. Windows generally doesn’t allow packets outside of it’s subnet in unless there’s already state for the traffic.
We can also run tcpdump on your OpenWRT router to ensure the packet is leaving towards your LAN. Assuming your LAN interface is something like br0, you can run: “sudo tcpdump -i br0 net 172.28.28.0/24”.
If disabling the firewall temporarily allows the traffic through, then you’ll just need to allow a rule allowing 172.28.28.0/24 traffic in (or only allow more specific traffic if desired).
Of course it was Windows… I wanna hit something.
Now, I’ll probably change my local range from 192.168.1.XXX to something a little more uncommon to avoid any errors while I’m out. Would I have to do anything other than changing my managed route in ZeroTier?
Nope, you nailed everything with the ZT and OpenWRT config. So you’d update your subnet and DHCP Pool on OpenWRT (plus any firewall rules if you’re calling anything in the 192.168.1.0/24 subnet specifically). Then update the route under managed routes (you can preplace this if you want, it won’t hurt anything).
Alright. Thanks for all the help! Kudos
No problem, glad you got everything working!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.