Following on from here where I got no responses.
I have a ZT network with a route to inside the network. I can access internal hosts via their HTTP web interface but can’t SSH to that same hosts’ SSH interface. If I use a ZT client that has an IPV4 internet IP address it all works fine.
This is the same issue as discussed here: iOS App Not Working When Using T-Mobile LTE - #19 by ilium007
I never had any issues using the same LTE IPv6 connection using a Wireguard tunnel, hard to believe that the ISP is doing anything.
Is it an IPv6 to IPv4 relay issue? If so wouldn’t the same relaying have been happening using Wireguard?
You either have a firewall blocking ports on the ZeroTier network interface, or the services are not listening on the zerotier interface, or flow rules configured to only allow http (the default allows anything). There’s nothing inherint to zerotier itself that would allow HTTP and not SSH or any other kind of traffic.
Nothing like that. Add I said, the ipv6 lte client will establish an ssh tunnel if I let it sit there for 3 mins or so. Is not firewall. Other apps that won’t tolerate that wait will just time out.
Others have reported this same behaviour on ipv6 lte connections
Again, it’s not zerotier blocking anything. If HTTP over zerotier works, anything else will work unless there is something else blocking the packets.
LTE providers can’t see anything about the packets. They can’t see if they’re HTTP or SSH or any other kind of packet or do anything to block them because they’re encrypted and encapsulated by ZeroTier
I understand all of this but I’m trying to explain the observations. IPv4 client works without issues. IPv6 LTE CGNAT client has issues but NOT complete blocking. A firewall mis-configuration would block traffic. In my case traffic eventually gets through for the IPv6 client, it just takes minutes to establish an SSH connection. Once established it works as normal. It’s not firewall.
Don’t know what to tell you. I have T-Mobile as my carrier, have IPv6 from T-Mobile, and use an iPhone. I can’t reproduce anything you’re reporting.
Also… I have multiple ZeroTier networks. One node is established on a Mikrotik router where I see the issue. The other network has an OSX machine with the ZeroTier client and the IPv6 iPhone client is also a member so NO firewall involved. The same issue occurs trying to SSH from the iPhone to the OS X ZeroTier client using the ZeroTier network ip. How can it be a firewall blocking if there is no firewall involved?
I’m on Telstra in Australia
Only thing I can suggest is checking the output of zerotier-cli peers on desktop machines. If you see lots of members with RELAY in the link column for the node ID of your iPad, that means a direct connection can’t be established. Something is blocking ZeroTier from establishing peer to peer connections. It’s either the router, or your mobile carrier.
Ok thanks. I’ll take a look when I can get an ssh connection 
So from my iPhone I could establish an SSH connection to the OSX computer after about 1min of waiting and ran zerotier-cli peers. Once connected the ash interface is snappy and work as expected. There’s no lag, the connection issue isn’t latency or connection related.
The iPhone is not connected as a peer, it’s showing an IPv4 address with is the LTE provider CGNAT address. When I go to an online ip address checker it shows this same IPv4 address but the iPhone itself shows an ipv6 address.
It’s been driving me insane. I exclusively use Zerotier for ssh and it works fine for my assortment of other clients. It used to work from my iphone over Tmo’s LTE with an ssh client, but stopped some time ago (works over wifi just fine). I assumed I did something wrong but I haven’t been able to figure out what.
However for me it’s all ports including HTTP that are blocked when over cell phone connection. (just to be clear, I can reach other public hosts fine).
It might not be ZT at fault, but I hope someone else has insights.
Another relevant datapoint: when I use my phone as mobile hotspot and thus connect my macbook air to the Internet via the phone, with ZeroTier enabled only on the notebook, everything works fine. Thus, it doesn’t seem like it’s T-mobile blocking the traffic. It might be Apple (my iOS is updated to the latest, 15.5)
This seems relevant: “It seems to me from testing that T-Mobile’s 464XLAT implementation has recently been changed to block UDP. To bypass the problem if you change your phone/hotspot’s APN (Access Point Name) to use IPv4/IPv6 instad of just IPv6, then UDP starts working on 5G (and LTE).”
from Network blocking UDP? | T-Mobile Community
