Possible Firewall configuration issue

This may well be covered under a different topic, but no luck in finding it.

I have two houses. At both of them, I have a Pi acting as a simple zeroTier router. Connectivity between network devices at the two locations is rock solid. However, I have access problems from mobile devices when they are not connected to either of the local networks - I am assuming this is a firewall issue of some kind.

  • Site A has an ASUS AX88 router with just the default firewall enabled.
  • Both of my mobile devices can access the network behind this router via zeroTier when not connected to the local network
  • Site B has a Unifi UDM-PRO with firewall/IDS/IPS enabled. Neither of the mobile devices can access the network behind this router via zeroTier when not connected to one of the local networks.

I am assuming this has something to do with the firewall machinery on the UDMP, but do not know where to start debugging. Any thoughts?

Hello,

Can your mobile devices “ping” or otherwise talk to the pi itself at site b? How is the latency? Is it a “direct” connection? (run sudo zerotier-cli peers on the pi and look for the ID of the mobile device)

Can you disable IDS temporarily and see if that fixes it?

Pi at site B is not pingable from the mobile

Peers list of site B Pi does not show the ID of the mobile device.
Peers list of site B Pi shows site A Pi as DIRECT peer, and vice-versa
Disabling IDS does not appear to make any difference.

I could sort of understand some subtlety in the firewall (LANIn/LANout)
rules preventing network access but the lack of visibility of the peer has me intrigued.

I also note the mobile peer appears in the list for the site A Pi, which is hardly surprising since that access is working.

Some further experimentation. Not sure what was yesterday, but…

This morning if I attempt to ping the Site B Pi from a mobile client I do see the client appear in the peers list, with lat -1 and no path shown.

<ztaddr> <ver> <role> <lat> <link> <lastTX> <lastRX> <path>
4bxxxxxxxx - LEAF -1 RELAY

Something in the firewall rules that permits traffic between the two sites zerotier clients, but blocks it for mobile? Since the routing at the two ends is symmetrical, the only thing left seems to be firewall rules…

Additional Data Points:
A second zerotier client on the site B network is pingable on its zerotier address from the mobile devices. The mobile client appears as a RELAY peer to the site B client.

The site B Pi and the second client (on a Mac) can ping each other’s zerotier addresses.

Does this imply there is something odd about the configuration of the networking on the site B Pi? It seems very odd that I can ping one of the ZT clients on the network but not the other.

Good info.
When the other end is not behind NAT, or is behind an “easier” NAT for zerotier to traverse, there’s a higher chance a direct connection will happen.
Make sure outgoing UDP is allowed on the UDM and on the pi itself.
https://zerotier.atlassian.net/wiki/spaces/SD/pages/249167873/How+do+I+allow+ZeroTier+through+my+corporate+firewall

Well, thanks for the advice. After a series of perturbation experiments this afternoon, by a process of elimination, the only reason for this not working had to be something wrong with the Site B Pi. So… I ran up a VM on site B, configured a ZT gateway on it, changed the static routes on the router to reflect this and now everything can ping everything from everywhere. I have no clue what is wrong with the Pi networking stack since its configuration is at first appearances identical to the one at the other end.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.