This has been asked a couple of times and never answered (that I can find).
Is there no way to force or at least strongly encourage ZT to use a member’s IPv6 physical address? I have at least one member that seems to prefer traversing the ISP’s CG-NAT instead of using the public IPv6, and ZeroTier is completely opaque as to why.
It’s particularly frustrating in light of this old ZeroTier blog post (scroll almost to the end):
NAT Murders Kittens
Ideally there would be an option for each authorized member in the network management configuration to favor/require IPv6. Or a client setting to do the same.
At this time that doesn’t appear to be the case.
The workaround I’m using right now is to restrict inbound UDP on port 9993 to IPv6 only in the member’s client-side firewall.
Doing so immediately caused my dual-stack members to start appearing with IPv6 physical addresses in the management portal. I’m assuming that whatever internal metric ZeroTier uses to select a route prefers bidirectional communication on that port.
Hopefully this helps the next person with the same question.
If the target system supports
local.conf usage, then I would blacklist IPv4 address there.