Hello, I was wondering what ports does ZeroTier need to work properly?
Indeed, I saw this in the documentation:
9993
Secondary Port, randomized each start up and after being “offline” for too long.
Random Port for UPnP
But what is the second port for? Just if the first one doesn’t work?
Can several nodes connect at the same time on the same port of a node for example can 192.168.0.1 and 192.168.0.2 connect simultaneously on 192.168.0.3:9993? If so, what is the second port for?
Indeed, I ask this because by doing sudo zerotier-cli peers I see some nodes in 9993 and others on random ports. I would like to be able to create firewall rules in input (on my LAN interface) and therefore I was wondering which ports should be opened. Just 9993 or the second is needed?
So I don’t know from a technical perspective, but I see ZT using the second port if the first one is already used by some other process, or if you have multiple ZT instances.
To get good PTP links between nodes, they need to see each other on an exposed port. two zt devices can’t both be behind NAT on port 9993 for example. The first might get that port but the second would fail and have to try for another.
Also, these aren’t just a ‘second’ port. If you put 5 ZT interfaces on your system you’ll use ports 9993-9997
ok thank you for your reply. why can’t two machines behind a nat use port 9993 simultaneously? You said that in case they are in the same local network?
Consider that remote nodes would know some nodes address as IP:port, so that can really only exist once. NAT obscures the node behind a public IP but that doesn’t really change that a node is known by an IP:port
Ie, you can’t reuse that because two nodes can’t be known by the same ip:port.
If you have a different port, great. Dual public IP addresses, great. Dual wan, great.
to summarize, within the same physical local network if two nodes are behind the same public ip it cannot use the same ports. (if the nat maps the source port of the machine on the public side). On the other hand if the first node is behind a public ip address and the other is behind another public ip, the two nodes can talk to each other on their respective port 9993? We agree?
uh… I don’t care for how you say that so I can’t outright agree.
each public IP:Port can belong to just one zerotier node. No matter how you spin it. There are intricacies of NAT that you can mix and match src and dst but those are beyond the scope here. Physical network doesn’t matter as you can have NAT to internally routed resources.
The summary here is that an individual public IP and port combination allows inbound data to just one node. You can do whatever else you like as long as a given public IP:port goes to a single node, and so your summary shouldn’t have any extra rules in it either.
