I struggled to find a simple guide to setting up local lan based routing on Mac OS X.
Finally got it working and thought it might help someone.
Context: Home Network:
MacMini (OSX) connected via ethernet to router.
MacMini internal IP address 192.168.0.2 (setup with ipforwarding and interface routing)
MacMini ZeroTier IP address 10.0.0.2
Various other local computers / printers / NAS drives etc on 192.168.0.0/24 network
ZeroTier
Using ZeroTier to connect various devices MacBook, iPad, iPhone to Home Network.
ZeroTier set up on 10.0.0.0/24 range
Steps:
Setup ZeroTier network as needed on the computers/laptop/iPhone etc
Set up Managed Routes for the network on my.zerotier.com
Destination: 192.168.0.0/24
Via: 10.0.0.2
On Mac mini set ip IP Forwarding:
sudo sysctl -w net.inet.ip.forwarding=1
Check the network interfaces on Mac mini by running ifconfig and checking for the right interface ids, (mine are en0 for the lan and feth3632 for zerotier)
On Mac mini set up Interface Routing:
create /etc/pfzerotier.conf and add the following line (editing the interface ids)
nat on en0 from feth3632:network to any -> (en0)
I’ve been struggling for hours, trying to piece together bits and pieces on macos bridges, pf nat rules (converted from all the Linux equivalent commands) and people on StackExchange saying it will never work with pf.
This looks much simpler and can’t wait to try it…
I struggled to get this to work, until i only loaded the custom pf.conf per your steps. Initially I was trying to use a pf anchor and tag on to the system rules, but the NAT was failing.
Do you know, or anyone else, which system pf rules would block the NAT from working? I’d like to add on to the system rather than replace altogether with a different conf if possible.
I did try to investigate the system rules but it wasn’t obvious where the issues may be. I know order is important, so when found will move the anchor accordingly.
I’m using Mac OS Server (El Capitan) for reference.
I used this config last night on my Mackbook and it worked great! but only one way (in my testing).
I would like to allow local devices (non Zerotier) to access my Zerotier devices. What would I need to do to get that working?
Assuming you mean access for local devices to access zero tier devices on external network? For this I guess a couple of options, easiest, would be have zerotier set up on your router, if it supports. Otherwise, you would need to create a new route to zerotier via a device on your local network, and then have local devices get that detail from the gateway. Not as simple
Signed up for a forum account just to say thank you for this. Got a Mac Mini M4 today and wanted to give it something to do while it’s on 24/7. Couldn’t find easy instructions anywhere else. Yours were simple and to the point. Thanks again!
Okay, new question for @poonja or anyone else playing along.
For me at least, this doesn’t persist across reboots. I have to run the “sudo pfctl -e -f /etc/pfzerotier.conf” command every time in order for it to work. Since this machine is on 24/7, reboots will be few and far between. But I know I’m not going to remember to do it every time there’s a software update or other reason for rebooting. Is there any way to make it persistent?
