I’ve setup in the past the NAT/Masquerade routing as per knowledge base and it worked flawless.
I’ve now setup a new network, a new raspberry pi and added all rules.
LAN side: 192.168.100.0/24 ZT network 192.168.196.0/24
Raspberry has ZT (ztppi6tnyy) 192.168.196.6 and LAN (eth0) 192.168.100.12
From the Raspberry I can ping any host on the ZT and the LAN network, so connectivity there is OK.
Iptables show also correct: # Generated by iptables-save v1.8.7 on Mon Jan 24 16:54:37 2022
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -i eth0 -o ztppi6tnyy -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ztppi6tnyy -o eth0 -j ACCEPT COMMIT Completed on Mon Jan 24 16:54:37 2022 # Generated by iptables-save v1.8.7 on Mon Jan 24 16:54:37 2022
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Jan 24 16:54:37 2022
From any ZT client pinging to raspberry at ZT address works but any ping to LAN doesn’t work.
I am missing something but can’t see where it goes wrong or how to check.
Any help would be appreciated.
Jan
You need to let the ZT know that they can reach the LAN network via the ZT IP address of the Raspberry pi device. To do this, create a new managed rule with
192.168.100.0/23 via 192.168.196.6
You are using the 0/23 to give lower route preference to this route. If the ZT client joins your physical network, it will get a 100.0/24 address and will route to other devices in your LAN through its own interface.
If they never join your physical network, they will route to the 100.0 network via the RPi ZT address.
Please know that the RPi in this case is nating the ZT connections. This means that the ZT clients can ping the LAN, but the LAN can’t ping the ZT devices.
Hi,
Thanks for you answer. I do have a route to 192.168.100.0/23 via 192.168.196.6 (the Raspberry on the other side). This also shows up in the ZT control panel under managed routes.
As a side note:
I also have another site on the same ZT network with LAN 192.168.56.0/23 with a Raspberry PI at 192.168.196.1 in managed routes.
I can connect to the Raspberry on 192.168.196.1 and if I am SSH’ed into connect to everything in 192.168.196.0/24 (my ZT network) and anything on the LAN side (192.168.56.0/24). But from any other ZT client (be it on a mobile connection or on my home lan 192.168.100.33 which has the route 192.168.56.0/23 via 192.168.196.1) it doesn’t work. I can reach the raspberry at each site but nothing behind it on the remote LAN.
Now, thinking of this → All Raspberry PI’s have been updated recently (but can’t imagine it will break IPTables) and all sites changed from Miraki to Unifi Dreammachine Pro routers. But again, the NAT/Masquerade is happening on the Raspberry over the ZT tunnel.
Any suggestions are welcome, it worked in the past (I could reach a printer on 192.168.56.11 via the ZT managed route from any ZT client but not anymore).
Hi Dmiranda
Unfortunately, that didn’t work for me…
sysctl net.ipv4.ip_forward = 1
iptables is the same as yours (of course, ZT interface name adapted), eth0 is indeed eth0
But no routing between the 2 networks, I have the issue at 3 locations with same raspberry setup, the only thing recently changed at all locations is the use of the router on each location but that should have no effect as I can reach the ZT network at each site and the raspberry only routes to local lan which is reachable from the same raspberry.
thanks anyway!
Jan
I figured out that LAN access won’t work for /24 subnet.
I was trying to segment my ZT subnet under 192.168.196.0/24 and I couldn’t access my LAN behind my RPi.
So I changed back to 172.26.0.0/16 and it worked again.
You are the master…
This worked as expected (and as before, so I believe something in the ZeroTier code changed recently and it seems a bug to me, as it worked before with a /24 ZT network).
I’ve added the external locations now each as separate 172.26.x.x address and routed the local LAN’s behind through the assigned ZT address and all devices on the LAN in each location can be reached via the ZT network.
I’ve been struggeling for more than 2 weeks and had to setup a meshed VPN between the 3 sites which I took down now.
Many many thanks Daniel! Really appreciate the time you took to figure this out!
KR
Jan