New to ZeroTier and failing at routing via OpenWRT

Hello, all. First post, so please be kind. I’m also new to ZeroTier. I’d appreciate if if some kind soul(s) would look at my configuration and comment where they see errors.

I have a ZT network setup and am having no issues taking between devices that have ZeroTier installed on them (e.g. Windows PC to Android phone). However, I want to have ZT on my router and facilitate reaching other devices that don’t have the ZT app. I’m following the guide at https://github.com/mwarning/zerotier-openwrt/wiki

I believe I have followed that guide to the letter. My local LAN is 192.168.1.x (OpenWRT router is 192.168.1.1) and the ZeroTier network is 192.168.192.x.

From across the ZeroTier network, I can ping the router at 192.168.192.1 and also 192.168.1.1. I thought the latter was a good sign! But nothing else on the LAN is reachable.

Here are some configuration pics:

Thank you!!

Hello,
I used to use openwrt like that, and it worked well. I’m currently trying out other stuff, so can’t compare screen shots.

It might not be related but change your managed route to 192.168.1.0/23. it works around a routing issue when you’re connected to zerotier and also on your 192.168.1.0/24 physical lan.

Thank you very much. I’m missing something because I can’t enter the managed route of 192.168.1.0/23. It corrects it to 192.168.0.0/23. Just to be clear, I went from the first pic below to the second one. Is that what you meant?

With it as above, I still can ping 192.168.1.1 but not, for example, 192.168.1.9

Is there anything else I can show you that would help you help me?

That’s correct. Sorry for my typo.

What operating system are the two clients, that you’re pinging to and from?
I can’t really think of anything else at the moment.
The article mentions needing to reboot for some reason?

I’m just grateful for your help.

I believe that was to solidify changes along the way, which I did.

Sorry, but I must elaborate. For this implementation, I have a small test network that uses a TP-Link WDR3600v1 running OpenWRT 19.07 (at 192.168.1.1) with ZeroTier (192.168.192.1). Cabled ethernet then connects a Windows 10 laptop (at 192.168.1.103) and a Netgear r7000 router/AP (192.168.1.9) configured as a dumb access point w/o DHCP. The latter two devices do not have ZeroTier.

Then, to test, I use an Android phone with ZeroTier wirelessly to the above r7000. The “ZeroTier Central” control panel shows the phone online with an ip of 192.168.192.xxx. The phone can ping my ZeroTier WDR3600 router at 192.168.1.1 but fails at reaching either the laptop (192.168.1.103) or r7000 (192.168.1.9).

As I said above, I really thought I had approached success when the router was reachable at the ZeroTier ip of 192.168.1.1. I feel like it should be easy to extend to the client devices on the subnet and it’s just my lack of networking knowledge that is in the way.

Thanks again for your help.

Please show your OpenWrt firewall configuration as text, not pictures.
I suggest to switch (in ZeroTier controller) from 192.168. to any 172.x subnet to avoid possible confusion.

I changed the ZeroTier network to use the range 172.28.28.x just like the tutorial I was following.

Here are the entries for firewall that I created for ZeroTier on the router:

config rule
	option dest_port '9993'
	option src '*'
	option name 'Allow-ZeroTier-Inbound'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option output 'ACCEPT'
	option network 'ZeroTier'

config forwarding
	option dest 'lan'
	option src 'vpn'

config forwarding
	option dest 'wan'
	option src 'vpn'

config forwarding
	option dest 'vpn'
	option src 'lan'

And with the 172.28.28 network, this is the ZeroTier interface:

19: ztrf22577u: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether f2:d7:3d:f8:34:23 brd ff:ff:ff:ff:ff:ff
    inet 172.28.28.1/24 brd 172.28.28.255 scope global ztrf22577u
       valid_lft forever preferred_lft forever
    inet6 fe80::6cb2:c0ff:fefc:949b/64 scope link
       valid_lft forever preferred_lft forever

Please tell me if there is anything else I can provide. Thanks!

That does not have any sense if you do not have a public IP on WAN.

Delete masq line, both input & forward change to REJECT

remove these completely and add the following as a sample rule to allow icmp into LAN:

config rule
        option src 'vpn'
        option name 'Allow-ICMP-LAN-ZT'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest 'lan'
        list proto 'icmp'

On the controller side make sure you have a static route configured for your 192.168.x.x LAN network via ZT address 172.28.28.x AND do not customize the default Flow Rules yet, e.g. do not uncomment any lines there.

Once again, thank you @AndrewZ . I appreciate all the time you’ve given to this. I’m not sure I have correctly followed your last instructions, but here is what I have:

ZeroTier Central managed routes:

172.28.0.0/23 via (LAN)
192.168.1.0/24 via 172/28/28/1

Where you commented that the config rule for Allow-ZeroTier-Inbound does not make sense… should I delete that rule. I inferred as such, but I’m not certain.

In your comment above “remove these completely…” there is a block of one config rule one config zone and three config forwarding. I interpreted your instruction to remove just the three config forwarding blocks. Is this right, or perhaps were there more you wanted me to delete?

And, just to confirm, I have not done anything to the Flow Rules area.

Here are all the new entries in etc/config/firewall so you can see what the net result is so far:


# fOLLOWING ARE ROUTES I ADDED PER GITHUB RECIPE
#config rule
#	option dest_port '9993'
#	option src '*'
#	option name 'Allow-ZeroTier-Inbound'
#	option target 'ACCEPT'
#	list proto 'udp'

config zone
	option name 'vpn'
	option input 'REJECT'
	option forward 'REJECT'
#	option input 'ACCEPT'
#	option forward 'ACCEPT'
#	option masq '1'
	option output 'ACCEPT'
	option network 'ZeroTier'

#config forwarding
#	option dest 'lan'
#	option src 'vpn'

#config forwarding
#	option dest 'wan'
#	option src 'vpn'

#config forwarding
#	option dest 'vpn'
#	option src 'lan'

#from ANDREWZ
config rule
        option src 'vpn'
        option name 'Allow-ICMP-LAN-ZT'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest 'lan'
        list proto 'icmp'

Please revert this section back to the original state, these lines shouldn’t have been touched as per my recommendations.
The rest looks good, please try to ping from ZT network towards LAN.