Route between ZeroTier and Physical Networks not working

I’ve setup in the past the NAT/Masquerade routing as per knowledge base and it worked flawless.
I’ve now setup a new network, a new raspberry pi and added all rules.

LAN side: 192.168.100.0/24 ZT network 192.168.196.0/24
Raspberry has ZT (ztppi6tnyy) 192.168.196.6 and LAN (eth0) 192.168.100.12
From the Raspberry I can ping any host on the ZT and the LAN network, so connectivity there is OK.

Iptables show also correct:
# Generated by iptables-save v1.8.7 on Mon Jan 24 16:54:37 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o ztppi6tnyy -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ztppi6tnyy -o eth0 -j ACCEPT
COMMIT
Completed on Mon Jan 24 16:54:37 2022
# Generated by iptables-save v1.8.7 on Mon Jan 24 16:54:37 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 24 16:54:37 2022

From any ZT client pinging to raspberry at ZT address works but any ping to LAN doesn’t work.
I am missing something but can’t see where it goes wrong or how to check.
Any help would be appreciated.
Jan

1 Like

You need to let the ZT know that they can reach the LAN network via the ZT IP address of the Raspberry pi device. To do this, create a new managed rule with

192.168.100.0/23 via 192.168.196.6

You are using the 0/23 to give lower route preference to this route. If the ZT client joins your physical network, it will get a 100.0/24 address and will route to other devices in your LAN through its own interface.
If they never join your physical network, they will route to the 100.0 network via the RPi ZT address.

Please know that the RPi in this case is nating the ZT connections. This means that the ZT clients can ping the LAN, but the LAN can’t ping the ZT devices.

Hi,
Thanks for you answer. I do have a route to 192.168.100.0/23 via 192.168.196.6 (the Raspberry on the other side). This also shows up in the ZT control panel under managed routes.

As a side note:
I also have another site on the same ZT network with LAN 192.168.56.0/23 with a Raspberry PI at 192.168.196.1 in managed routes.

I can connect to the Raspberry on 192.168.196.1 and if I am SSH’ed into connect to everything in 192.168.196.0/24 (my ZT network) and anything on the LAN side (192.168.56.0/24). But from any other ZT client (be it on a mobile connection or on my home lan 192.168.100.33 which has the route 192.168.56.0/23 via 192.168.196.1) it doesn’t work. I can reach the raspberry at each site but nothing behind it on the remote LAN.

Now, thinking of this → All Raspberry PI’s have been updated recently (but can’t imagine it will break IPTables) and all sites changed from Miraki to Unifi Dreammachine Pro routers. But again, the NAT/Masquerade is happening on the Raspberry over the ZT tunnel.

Any suggestions are welcome, it worked in the past (I could reach a printer on 192.168.56.11 via the ZT managed route from any ZT client but not anymore).

thanks!
Jan

did ip_forward get turned off? sysctl net.ipv4.ip_forward
did the interface name change? maybe it’s not eth0 anymore.

Hi Travis,

adm@mad-zt:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Interfaces are eth0 and ztppi6tnyy on the Raspberry so no change.

At the moment I am out of options and clues… from each Raspberry I can reach the local LAN devices and remote ZT devices.

Thanks!
Jan

Hi Dyan, I was in the same scenario as yours.

I followed the provided instructions here by ZT https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks and was unable to reach my LAN behind my raspberry.

I solved the problem just rebooting my raspberry and everything is working now. I didn’t do after setting iptables.

my scenario is the following:

PC LAN (192.168.15.20) --> ZT (172.26.0.0/16) --> RPi LAN (192.168.1.158)
PC ZT (172.26.82.83) --> ZT (172.26.0.0/16) --> RPi ZT (172.26.241.161)

I did the managed route config in ZT as following

192.168.0.0/23 via 172.26.241.161

iptables confis as is:

# Generated by xtables-save v1.8.2 on Wed Feb  2 12:05:22 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Feb  2 12:05:22 2022
# Generated by xtables-save v1.8.2 on Wed Feb  2 12:05:22 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o ztuga5p3zg -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ztuga5p3zg -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Feb  2 12:05:22 2022

Hi Dmiranda
Unfortunately, that didn’t work for me…
sysctl net.ipv4.ip_forward = 1
iptables is the same as yours (of course, ZT interface name adapted), eth0 is indeed eth0
But no routing between the 2 networks, I have the issue at 3 locations with same raspberry setup, the only thing recently changed at all locations is the use of the router on each location but that should have no effect as I can reach the ZT network at each site and the raspberry only routes to local lan which is reachable from the same raspberry.
thanks anyway!
Jan

I figured out that LAN access won’t work for /24 subnet.
I was trying to segment my ZT subnet under 192.168.196.0/24 and I couldn’t access my LAN behind my RPi.
So I changed back to 172.26.0.0/16 and it worked again.

@jw_dyan could you try to use a /16 subnet?

1 Like

You are the master…
This worked as expected (and as before, so I believe something in the ZeroTier code changed recently and it seems a bug to me, as it worked before with a /24 ZT network).

I’ve added the external locations now each as separate 172.26.x.x address and routed the local LAN’s behind through the assigned ZT address and all devices on the LAN in each location can be reached via the ZT network.

I’ve been struggeling for more than 2 weeks and had to setup a meshed VPN between the 3 sites which I took down now.
Many many thanks Daniel! Really appreciate the time you took to figure this out!
KR
Jan

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.