Pushing a 0.0.0.0 route

bbowlsbey · September 7, 2021, 5:14pm

Possibly stupid question. I cant push a default route to a windows client to force all my traffic on the zt network to egress to the internet through a cloud vps set up with snort. The snort box has zt installed and has joined the network. I believe I should be pushing the default route with the configuration below. I am stupefied as to why I get the crazy default route that looks more like a mangled mask than an ip address, on my remote windows client. Appreciate any help available, and I am not thin skinned about missing something obvious, so I don’t mind being called an idiot, but please elaborate on why.

Windows client gets:
Default Gateway . . . . . . . . . : 25.255.255.254

The ZeroTier Client is configured to allow default route

The ZT Network is configured like this to push a 0.0.0.0 route

zt-grant · September 7, 2021, 5:17pm

Each client on a network has to opt in to setting a default route. On the command line, this can be done via:

sudo zerotier-cli set $networkID allowDefault=1

It can also be set via the GUI tray apps.

bbowlsbey · September 7, 2021, 5:18pm

Yep. The ZT client on the windows box is set to that:

zt-grant · September 7, 2021, 5:21pm

Also the 25.255.255.254 is a hack to make Windows Firewall actually work with ZeroTier

See the comment here in the source code for more details.

bbowlsbey · September 7, 2021, 5:24pm

Oh geez. Sounds like we cant push a default route to a windows client then?

zt-grant · September 7, 2021, 5:27pm

You absolutely can set up a default route on Windows. It works in our testing.

Are you on a dual stack IPv4/IPv6 physical network? If so you you’ll also have to set up IPv6 addressing routing, or turn IPv6 off on your machines.

You’ll also have to make sure your systems’ configured DNS servers are reachable via the default route.

bbowlsbey · September 7, 2021, 5:53pm

Just disabled IPv6 on the underlying physical if of the windows machine and on the zt interface.

Also attempted to set a static ARP entry on the workstation through some powershell “Get-NetNeighbor”. Seems odd, I would have thought it would be something like “Set-NetNeighbor”, but the MS Forums are clearly saying “Get”. Rebooting windows

bbowlsbey · September 7, 2021, 6:44pm

Actually tried New-NetNeighbor with power shell to set an statitc ARP entry, but it looks like the zerotier interface doesnt support a link layer address.

I am out of strings to pull. Any suggestions about how to push a default route to this Windows 10 machine?

bbowlsbey · September 7, 2021, 6:50pm

How did you do this in your testing?

bbowlsbey · September 7, 2021, 7:16pm

Not getting a default gateway on linux clients either

zt-grant · September 7, 2021, 7:37pm

I’m really not sure what to tell you. It works fine over here

root@debian:~# ip route
default via 10.95.0.1 dev ens18
10.0.0.0/22 dev ztmjfajgf7 proto kernel scope link src 10.0.1.73
10.95.0.0/16 dev ens18 proto kernel scope link src 10.95.0.38
192.168.192.0/24 dev ztijaz7tkl proto kernel scope link src 192.168.192.73
root@debian:~# zerotier-cli set $networkID allowDefault=1
root@debian:~#ip route
0.0.0.0/1 via 10.0.0.1 dev ztmjfajgf7 proto static
default via 10.95.0.1 dev ens18
10.0.0.0/22 dev ztmjfajgf7 proto kernel scope link src 10.0.1.73
10.95.0.0/16 dev ens18 proto kernel scope link src 10.95.0.38
128.0.0.0/1 via 10.0.0.1 dev ztmjfajgf7 proto static
192.168.192.0/24 dev ztijaz7tkl proto kernel scope link src 192.168.192.73

Perhaps it’s because you’re setting your default route to 0.0.0.0/32??? Try 0.0.0.0/0 instead

bbowlsbey · September 7, 2021, 7:41pm

I’ll give it a shot. Cant hurt.

bbowlsbey · September 7, 2021, 11:21pm

Getting a default gateway now on Linux. Pushing the 0.0.0.0/0 route vs the /32 seemed to do the trick on that.

system · October 7, 2021, 11:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.