Traffic meant for Zerotier being sent over physical NIC

Hey guys,

I have a Zerotier network set up between a couple of windows machines. One of them hosts a web server that needs to be accessed by the others. All of the machines except one are able to access the web server.

The machine that can not access the web server seems to be sending all of its traffic out over its physical NIC and ignoring Zerotier completely…
If I run a trace route to the web servers IP on any of the other machines, there is a single hop, but on the problematic machinee, the traffic goes to the default gateway, then out to the internet and ultimately dies when it’s TTL expires.

The problematic machine has Comms to my my.zerotier.com, and changes I make to it update on the machine, but it can not communicate to any other machine on the Zerotier network, and no other device can communicate with it.

If anyone has any idea of what might be going on here and how to fix it, I would massively appreciate your feedback, because this is driving me insane…

Run route print at a prompt and paste the result here.

Also report the addresses and routes that you want to have for each physical and virtual interface in the misbehaving computer, both Ethernet and ZeroTier.

Route Print

Physical address is 192.168.0.74 with gateway 192.168.0.250
Virtual address is 10.10.0.12 with gateway 25.255.255.254

This Machine needs to access the machine at 10.10.0.10 on port 82.
Every other machine on the network can access 10.10.0.10:82 without any issues, and tracert for them has 1 hop to 10.10.0.10.
running tracert on this machine shows the first hop to the gateway 192.168.0.250, and then out to random public IPs until it expires.

The metric of 281 on the default gateway for the physical interface is too high, which suggests that it is overridden. This value would be lower than the “on-link” lines on most Windows computers.

Additionally, the default gateway is 192.186.0.250 on network 192.168.0.0/22, but 192.168.0.1 or 192.168.3.254 would instead be expected as a sensible default here, which suggests a misconfiguration.

Furthermore, both 10.10.0.0/16 and 100.100.0.0/16 are on the ZeroTier interface. The second block is not used by ZeroTier; it is used for CGNAT and by products like Tailscale. This is certainly wrong.

If you can’t explain how or why this happened, then your solution is a networking reset.

  1. Uninstall all VPN software like ZeroTier and Tailscale.
  2. Reboot.
  3. Run netsh int ip reset in PowerShell.
  4. Reboot.
  5. Install ZeroTier and get it working like your other computers.
  6. Install other networking products one-by-one until the ZeroTier installation breaks.

I did try to modify the metrics for both the default and Zerotier, both the Advanced TCP/IP Settings GUI, as well as via the commands Set-NetIpInterface and route delete/route add. This did not work, any changes added a flat 10000 to any metric I specified, setting to the lowest priority in the list, and I could not find a reason why or a work around online.

As far as your suggestion of misconfiguration for the default, I do not have control over that configuration. Zerotier has worked without an issue in this environment before, albeit on a different computer.

I can explain the second block, I tried to use Tailscale.
I have never had issues with Zerotier that I couldn’t readily resolve, and as such I have never needed to post a question on here till now. Being a new user, my account got put on hold, unfortunately there was no indication of how long that hold would apply and I needed a solution, so I looked for Zerotier-like alternatives, and Tailscale was the one I tried…
Similarly to Zerotier, Tailscale just didn’t work.
The traffic was not routing through Zerotier when Zerotier was only application installed on the machine (Literally an entirely fresh install of Windows 11 Pro with nothing but Zerotier added).

I should’ve specified this in the original post, but I don’t think Zerotier itself is at fault, but rather that Windows and Zerotier are not gelling for some reason…

For anyone having this issue in future:

We did manage to find the cause of this issue eventually, the administrators of the network that the problematic machine was on uses Fortinet to secure it, which is a cyber security platform.

Zerotier was added as an exception to their firewall, this allowed the machine to communicate with my.zerotier.com as this uses a static port for communication, however, because Zerotier uses randomised ports for communication between devices on the Zerotier network, Fortinet was blocking it as abnormal traffic. Anything going out on Zerotier would get blocked, and the machine would then try to send it out over its physical NIC instead and it would die out on the internet.

The only direct solution to this is to turn the firewall off, so that Zerotier can use whatever random port it feels like using. It doesn’t seem like you can configure static ports for Zerotier (yet, hopefully) and just turning a firewall off is not recommended.

So, we removed the machine from the network, put it on its own LTE connection, and it now works perfectly…