Windows Ethernet Bridging


You don’t actually need to configure any special routes on the “router” machine - this should have the ZeroTier client installed on it so it will already have the necessary routes. If you used the -p flag when adding the routes (as in my examples) then you should be able to see the ones you’ve added under persistent routes in the output from:

route PRINT

Then you can use route DELETE to get rid of them. A single route (for the ZT subnet using the “router” machine as gateway) needs to be added to each device on your local network that you want to be able to access the ZeroTier network (but can’t install a ZT client on).

If i’m not mistaken it should be enough to add static route on default gateway/router for your zerotier network ( with your windows machine ip address as gateway. Then you don’t need to add route on every device in your network.

Hi. Im a noob. Can you help me to set this up

if it is not possible for you to add a route on the Device or it is not possible for you to install Zerotier directly on this Device here is what I did.

I transformed a linux machine (for example a rpi 4) into a router thanks to linux forwarding. Once done, you must define this linux router as the default gateway of your incompatible device. Once this is done, thanks to iptables rules, the requests from your incompatible device that will go through your linux router will go either to the zerotier interface of the linux router, or to the lan interface of the linux router. Your device will therefore have access to the internet and to zerotier via the linux router.

Moreover, if the device does not need to initiate a connection to zerotier but only to respond to requests from zerotier there is no need to change its default gateway.

if you don’t need full access to the device but just a port you can do ports forwarding.

If you need detail don’t hesitate and don’t be afraid of Linux, linux is cool :slight_smile:

1 Like

Hi jtm,

It seems you found a solution to Zerotier accessing devices on a private lan. Would you be able to put together a step-by-step setup? I tried many vague suggestions but can’t seem to access to the device without Zeroteir installed. My setup is similar to upInTheNorth. I also have a Windows server 2008 running that I enabled RRAS but still no success.

Hi Scott,

I think the number of suggestions in this thread proves that there are a few options for achieving physical network bridging with a Windows box, and it depends on your situation which option is best for you:

  • If you’re able to add static routes on your router, the easiest option is probably to set the IPEnableRouter registry entry on the Windows box that has ZeroTier installed and then on your router create a route to your ZT subnet through the IP of the Windows box. (as per @jakub.pisarczyk’s suggestion)

  • If you don’t have control of your router (like me) or it won’t allow you to add static routes, but you can add static routes to the device you need to access from ZT (e.g. QNAP NAS in my case) then you can do the IPEnableRouter setting and then follow my instructions to create the route on the device itself.

  • If neither of the above options are available to you, you’re probably best to follow @celien’s advice and set up a Linux box to be your ZT router, either by attaching a rpi or something to your network, or setting up a VM on your Windows server.

Happy to try and help with specifics if you’re able to share details about your particular network :slight_smile:

Hi Jtm,

I’m familiar with general network setup but not familiar with Static Routes. My setup is below. I have a Windows Server 2008 running on the network where the device that I want to access. I have already enabled RRAS for LAN routing. My PC is still not able to ping/connect with the Device security camera

Zerotier network

Appreciate if you have instructions on what configurations are needed and where. Thanks.

Hi Scott,

Thanks for the diagram, in your setup the most important configuration is the managed route in ZeroTier console. So at → Settings → Managed Routes you need to add a managed route with destination (assuming your security camera network is via Note that the destination subnet in the route needs to be slightly larger than the actual subnet (/23 instead of /24) so that clients that are on both networks (like your Server 2008 box) prefer the physical route instead of the ZT one.

At this point you can reconnect ZT on your W10 PC and check that you see the new route when you run “route print” on the command line. If you can see the route you should then be able to ping/connect to the Server 2008 box on

If the Server 2008 RRAS box is the default gateway for the security camera network then at this point you might be able to get all the way through to, but if not, you might need to add a NAT rule in RRAS:

In this case your “public” IP would be the ZT IP ( and the private network is the interface.

Hi Jtm,

Thank you for the instructions.
I added the Managed Routes with destination via
manage route

I see in “route print”
route print

The Server 2008 RRAS box is not the default gateway. So I setup NAT public and private interfaces according to link provided.

I still can’t ping/connect to (security camera) from the PC on ZT (

What am I missing? Thanks.

Hi Scott,

I think you’re close! Can you at least ping the physical LAN IP of the RRAS server ( from your PC? If so, I think it’s the RRAS config that needs to be tweaked…

I’ve never done it myself so maybe someone else could say for sure - basically we need something on that RRAS server so that traffic from your PC over ZT ‘masquerades’ as traffic from the RRAS physical IP, then when the security camera replies it will send the response to the RRAS IP (which it already knows how to get to) and the RRAS box will translate it and send it on to your PC. Some wireshark captures or logs from the RRAS server might be the next step in troubleshooting.

Hi Jtm,

After I disable then re-enable RRAS, I am able to ping/connect the LAN IP of the RRAS server. Something is still missing because I cannot ping any of the clients on the LAN IP.

I did a “tracert” and I see the first hop to the ZT IP of the RRAS server ( but then timeout. I think the response is not finding it way back.


Found the missing piece! Add NAT routing protocol then add Local Area Connection interface and make it public.

Jtm - appreciate your help!


To summarize the steps for anyone that need help with this.

  1. Create new Network on Zerotier
  2. Install Zerotier on Windows server
  3. Add Managed Routes at with destination to the LAN ( → Settings → Managed Routes you need to add a managed route with destination (assuming your security camera network is via
  4. On Windows server, Install and Configure RRAS (Routing and Remote Access Service). Enabled LAN Routing and NAT. (How To Enable LAN Routing on Windows Server 2008 R2 - YouTube)
  5. Add a public Local Area Connection interface (Right-click on NAT > select New Interface > select the Local Area Connection “LAN” > select Public interface > check Enable NAT)
  6. Your PC/Mobile on ZT should be able to ping/connect with the LAN clients using LAN IP.

Is there any way to do NAT from command line in windows 10?

Not natively as far as I know, you need the RRAS role and that’s not available outside of Windows Server OS.

You could possibly do it with a 3rd party application or by using a VM/container but the second option will complicate the network and you might end up needing double NAT.

1 Like

@HorizonsCT did you ever document your steps for this?

@dan.mannocchi: Yes, there are a few different options but the easiest way for Win10 is to enable Hyper-V.

Then use Powershell to setup and control NAT like the examples below or use Google for other ways.

If you don’t want to enable Hyper-V it’s also possible to use ICS (Internet Connection Sharing) as NAT. As for an example have a look at the Powershell function Set-NetConnectionSharing in How to Setup Wireguard VPN Server On Windows - Henry's Portal

this should make it really easy for anyone stuck on this… simple powershell script. Be advised that in addition to this, you must have routes configured on Zerotier one for the network, as well as a static route for the zerotier subnet pointing to the ip of the machine running this, on the local router. WIth these two requirements met, this script is a single click deployment that enables bidirection communication between all devices on LAN subnet and Zerotier subnet and any other subnets routed through zerotier at other sites.

### Download MSI file
$Folder = 'C:\ZT_install'
"Test to see if folder [$Folder]  exists"
if (Test-Path -Path $Folder) {
    "Path exists!"
} else {
    New-Item -Path "C:\" -Name "ZT_install" -ItemType Directory
Invoke-WebRequest -Uri "" -OutFile "C:\ZT_install\ZeroTierOne.msi"

#### Start Installation
Start-Process -FilePath ZeroTierOne.msi -WorkingDirectory c:\ZT_install  -ArgumentList '/qn','/norestart'

### 2 minute delay
Timeout /NoBreak 30

### Join ZeroTier Network.  (Please set this variable accordingly)
$zerotiercli = "C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe"
$param1 = "-q"
$param2 = "join"

& $zerotiercli $param1 $param2 $NetworkID

### Enable IP forwarding to allow bi-directional LAN Bridging
Set-NetIPInterface -Forwarding Enabled
Set-Service RemoteAccess -StartupType Automatic; Start-Service RemoteAccess

Thank you very much. I cannot wait to try it out!

Thanks for sharing I will try this to connect 2 sites

@celien i exactly want to achive this using a debian 12 machine… i wld love to get more details :slight_smile: