ZeroTier corporate firewall


I would like to use ZeroTier in a corporate network. However, all traffic is initially blocked by the corporate firewall and the required connections have to be opened manually. The following destinations are already allowed:

root-ams-01.zerotier,|TCP+UDP: 9993, [1024-65535]
root-sea-01.zerotier,|TCP+UDP: 9993, [1024-65535]
root-mia-01.zerotier,|TCP+UDP: 9993, [1024-65535]
root-sgp-01.zerotier,|TCP+UDP: 9993, [1024-65535]
root.zerotier|TCP+UDP: 9993, [1024-65535]

But, the device does not get a physical IP by ZeroTier. What else needs to be opened in order to work properly?

I already found out that there are another 2 ip addresses required in order to get a physical ip:

Is there a domain name available or are they always the same? Why isn’t this listed somewhere?

Hi Manuel,

Unfortunately for some corporate firewalls, there’s no real way to give you an answer to this. ZeroTier peers external to your corporate firewall can be running at any IP on a range of different ports. Our hosted network controllers are also not on static IP addresses, and the IP being used for those can change on the whim of the cluster in our datacenter. Your best bet will be to allow UDP/9993 from anywhere into your network at the corporate firewall.

Well to allow any connection won’t be accepted by any (bigger) corporate security department I guess…

Isnt there any other possibility?

For the best performance, we recommend allowing machines running ZeroTier to allow incoming traffic from anywhere to at least UDP port 9993. ZeroTier operates on a peer to peer basis and needs to be able to contact other nodes directly to do this.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.