So I have a configuration that’s currently not working, and I’m trying to understand why it doesn’t work and what the rules are that will keep ZT from working so I don’t run into them accidentally.
I have a test ZeroTier network with an assigned subnet range of 172.30.0.0/16.
There are only two devices that are members of the network: one is a laptop at 172.30.1.10, and then I have a server running Ubuntu+KVM which is 172.30.5.1. Both machines connect out to the Internet via NATed connections (on 192.168.0/24 and 10.0/16 respectively). Let’s assume for the moment I don’t care about accessing anything else on either network—all the LANs do in this scenario is provide egress to the Internet.
Straight “out of the box”, after adding both machines to the ZT network, I have full connectivity between them. Everything works great, as you’d expect it would.
Next, I spin up a couple of VMs on the server. I can assign whatever IPs I want to these VMs, but for a variety of reasons I really don’t want to install the ZT client on every one of them. What I’d like to do is make the virtual network inside the host visible to the laptop on ZT.
What I thought I could do was basically assign an entire /24 subnet from within the ZeroTier network range to the VM host, and put all the VMs into that range. And then I’d enable IPv4 forwarding on the host OS, create a Managed Route in ZT Central, and set the VM host IP as the Default Gateway in all the VMs. In short, this is what I was trying for:
- ZT Network: 172.30.0.0/16 (Class B subnet)
-
- Laptop (with ZT client installed): 172.30.1.10
-
- Ubuntu VM Server (ZT client installed, IP forwarding enabled): 172.30.5.1
-
-
- VM (no ZT client installed): 172.30.5.2, subnet mask 255.255.255.0 default gateway 172.30.5.1
-
Expected result is that once I enable the Managed Route in ZeroTier Central (“172.30.5.0/24 via 172.30.5.1”), I will be able to ping the VM from the laptop.
Actual result, though, is that as soon as I enable that route, not only can I not ping the VM, but I also lose access to the VM server. I can’t ping it from the laptop at all, until I remove the route again.
So… where did I go wrong, here? It feels like this configuration ought to work. I mean big networks have routers and internal subnets inside them all the time. (Like a big company might have a /8 or /16, but then subdivide it into a bunch of /24s, each with a router in front of it. And I can set something like that up without ZeroTier and it works fine.) But for some reason it doesn’t work at all.
I think the solution is probably to put the VMs into a non-overlapping subnet, like 172.31/16 or something, but before I do that I’d like to understand why this config doesn’t work.