Hi @eskimo1967,
That’s indeed a lot of confusing things going on.
A few more questions 
- Are you running in bridge mode?
- If you’re not running in bridge mode, is the IP range of the ZT network separate from the range of the LAN?
- If you run zerotier-cli info in the container, what is the status?
- If you run zerotier-cli listpeers in the container, do all the peers have an IP adres? Do you see your virtual DSM listed as a peer?
- If you uncheck the interface in the zerotier portal, does the internet connectivity resume?
- Are you behind NAT?
For me the biggest clue is that your internet stops working as soon as zerotier is running. I’ve seen it in a case where the default gateway is also assigned in the portal. In case you are running in bridge, make sure not to assign the default gateway IP to any of the nodes.
I would switch of the virtual DSM off while you are testing too simplify the network setup.
You can also check what happens if you leave the network (does internet connectivity resume?) and if your rejoin…
Is your VPN range separate separate from your LAN and ZT range?
If you could share maybe share the network config (ranges, route entries) it would make it easier to check. With everything sensitive removed of course. (Maybe change IP ranges to something equivalent and leave out MACs or so).
Because you have a VM, a LAN, a VPN, a ZT network, a docker container,… there is a lot of room for tricky combinations which might not be obvious.
Kind regards,
Timmmy