Need help for specific requirements of my network

Hello there, I’m looking for some information because I’ve been trying to setup my network for 2 days and the main part doesn’t work right now. You’ll see an attachment with a representation of what I’m trying to achieve

First of all, i use AWS for all my instances and everything reside under the VPC. In my public subnet i have 2 Linux instances, 1 running an internal VPN to access all my subnets and the other one will act as a ZeroTier gateway that will only have access to 1 subnet.

I’ve setup my account in the ZeroTier website and the ZT gateway joined the network I’ve set the routes with the (LAN) and via which is the AWS internal IP of the ZT GW instance (that gateway also has a public IP) and the VPC also has a route for which get out of the network by the ZT GW instance network interface

I can connect all the ZT clients to ZT without problems. When i SSH the ZT gateway and ping the (the assigned IP in the ZT UI) it answers without problems. I can also ping all the clients which are and .101 in my test setup.

If i go in the internal VPN instance in the same subnet, i can ping but not the 100 and 100 ones. Right now the ZT Gateway has the ipv4 forward enabled in sysctl and the instance security group is accepting all protocols and ports for all subnets and also added in the rule. It’s quite opened right now in the AWS LAN but that will be fixed when everything is setup. Also i did check CloudWatch for any rejections of the ZT Gateway which doesn’t occur.

You have any ideas of something i might have missed.

My next step will be making sure the internal VPN clients are able to reach the ZT clients and also that each ZT clients are not able to see each others with the exception of the ZT GW that need to see them all. Also that my ZT clients are able to reach 3 instances in a specific subnet.

If you have any hints that would be greatly appreciated because I’m really scratching my head right now.

Thanks a lot.
PS. Please don’t judge my English, that’s not my main language


thanks for writing this up.

For your managed route, I think you want via

Make sure ip_forwarding is enabled on the “routers”

Keeping client 1 and 2 from talking to each other can be done with the rules engine, but save that step for last.

Thanks a lot for you answer, i’ll try that out and let you know.

Worked A1, thanks a lot for the information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.