I am deploying multiple branch office sites where I intend to use ZeroTier to host an interoffice VPN. My topology for each site is as follows:
- Dual/multiple providers connected into a VR routing-instance called VR-Internet on an SRX240. Each provider participates in eBGP and I announce my PI public IP space to them.
- A ZeroTier client is hosted on a small server with multiple ports connected to the SRX240. One port lands in a VR I call EdgeNAT. The ZT appliance’s interface in that routing-instance is configured with a private address. This VR has NAT enabled between it and VR-Internet and routing is enabled between the two routing-instances.
- A second interface on the ZT appliance lands in another routing-instance called VR-VPN. This interface is configured as a bridge. Thus the ZT LAN IP layer3 is configured on the SRX240 itself.
- VR-VPN is stretched down to a Juniper EX4200 switch where it lands in a routing-instance configured as a VRF called VRF-VPN.
- The switch also hosts several other VRF constructs such as VRF-Office for the internal network of the branch office and VRF-Mgmt for network/server/facilities management. The switch essentially serves as sitewide intraoffice core switch and punts inter-office as well as Internet traffic to the SRX240 firewall.
I am observing the following:
Everything works fine in the beginning. A host in VRF-Office in Office-A is able to reach another host in VRF-Office in Office-B. However, the VRFs become unreachable after about 2 hours. During this time I can ping all ZT-LAN endpoints fine. Restarting the zerotier-one client or rebooting the server restores connectivity for the VRFs sitting behind the edge.
Other things to note:
I have permit rules for port 9993/udp and ephemeral UDP ports >=1024. Timeouts were originally set to 60s. I tried changing the timeouts to “never” but that didn’t seem to have any effect.
I suspect I am not configuring NAT on the SRX240 properly but I’m unsure what the configuration should be.The following is my current pertinent NAT configuration:
security { ...
... }
nat {
source {
rule-set EdgeNAT {
from zone EdgeNAT;
to zone Internet;
rule EdgeNAT_to_Internet {
match {
source-address 192.168.5.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
... }
Any advice would be appreciated.