How to create a "Master-Network"?

Community Support
1

Succeeded to set up a self-maintained (VPS) server with docker + ztncui .

I like the simplicity, and I’d like to manage 100+ separated networks. (1-10 member in each)

But it would be very bad if I’d need to connect to all 100+ networks from my phone + laptops simultaneously, or disconnect / reconnect to other one each time. (Takes 30+30 sec and creates a new network each time! :-1: )*

10.9.10.0/24  BestPizzaShop
10.9.11.0/24  FastPizza
...
10.9.250.0/16 MASTER group

So the question is:

  • Is it possible somehow to create one Network that would “see everyone” (all members in all groups) ?

  • If yes, can I block somehow the access to this, so members should not be able to start connections “back to my PCs”, only I should be able to connect to them? (VNC, RDP, SQL)

2

A lot depends on the design on your networks and the participants. Are these 100 networks made up of distinct sites plus some roaming machines? Or a random collection of machines?

One solution would be to have a single machine connected to all of the networks and use it as a firewall/router between them where you define which networks can talk to which other ones and under what conditions (master network can open RDP connections, but not in the other direction for example).

Or if you’re dealing with specific sites (store1, store2, etc.) and they have a local router that you can install Zerotier on, then you can route to the local networks over a Zerotier network (see: Zerotier & Mikrotik design concept - Infrageeks) for an idea.

1 Like
3

I’ve hoped there would be an easier solution, (like setting something inside ZT’s config file,) but actually this is a pretty clear and cool idea! :slight_smile:

So basically I just need +1 docker container on the VPS, that is connecting to all networks with a fixed IPs.

10.9.1.250
10.9.2.250
...
10.9.200.250 // <- master

Than add a fixed route to all clients, how the master network can be reached.

Yes.

One week has past, but I still can not figure out, how to do this in practice within a docker container?

  • because ZT port is occupied by the main ZT (server)
  • so ZT One would not conflict with it?
4

Hmmm - I think that a diagram might help better describe the design including the equipment hosting the ZT nodes and other networking equipment involved. From a quick review, I don’t think you need two containers, but I may be missing something.

If you do need to have two containers on the same machine, then you’ll want to set a different default port on the second container and NAT that port as well as the the one used by the original container.

1 Like
5

I’ve tested this method. (in a 2th container)

Conclusion:

Too slow! (30-600ms, instead of 2-5ms)

The reason is:

  • To avoid port conflict, I am forced to port forward docker container from default 9993.
  • No mater what I’ve tried, changing that port from 9993 is impossible.
  • ZeroTier One somehow recognising the “outside port” is different, so it changes back to “TCP relay” mode.

Any other ideas?

6

That sounds like a limitation on how the Docker container is configured. You may need to have something that maps the external port used on the host to the 9993 port internally used in the container. For the second container you’ll need to do something like:

docker run -p 9994:9993 ...

And then forward both 9993 & 9994 to the internal host.

7

I’ve found the bug that prevented me to use specific ports with ZT-One:
If I type : zerotier-cli info -j
It will list a bad structured json, that can not be re-edited without removing a {config ... } tree branch.

Now my ZT-one docker image is running on 9992 port.

But it still does not connect directly! :frowning:

Only tunneled. Which is very slow.
(While the 2 containers are running on the same VPS. So it should be 0ms.)

Any idea, why ZT1 is connecting only tunneled?

8

A diagram would really help. I’m still a little fuzzy on the use of multiple containers instead of a native install for the host and eventually a container for an isolated network.