ZeroTier Not working Any ideas why please?

Hi,

Ive got two sites with similar configuration and dont manage to get ZeroTier working. Attached is the configuration example. Both sites work over Wifi. I don`t manage to ping the laptop A from Laptop B. Any ideas why?

I can ping the IP address shown in the members sections but cannot ping the final IP address 192.168.1.11.

I`ve added the managed router 192.168.1.0/24 via 10.147.17.*.

What else do I need to do? I`ve also tick the allow managed routes on both laptops ZeroTier icon

Hi there and Happy Easter 2023! :slight_smile:

If you haven’t already, you’ll probably need to use one of the following procedures below (I use #1 myself)

  1. In your main router (defult gw), add a route to your ZeroTier network such as “10.147.17.0/24 → 192.168.1.10”

  2. Use NAT as explained in the link: “Route between ZeroTier and Physical Networks

Btw, in “Managed Routes” I suggest you change to 192.168.1.0/23 instead of /24 as explained in the link above.

Please feel free to get back with some feedback if it worked out.

192.168.1.11 is RPi that is not a member of ZeroTier network, so this will not help.
If you meant 192.168.1.10, then it will not help either - Windows PC is not a router, it will not forward the traffic between its interfaces (zt and wired ethernet in this example) by default.

Consider setting ZeroTier client on RPi instead of Laptop A.
Then configure forwarding on RPi, no NAT is needed.
Your router in 192.168.1.0/24 (your default gateway) will need a static route to ZT network via ZT client in your LAN.

Sorry, I misunderstood the picture and thought you were running ZeroTier on 192.168.1.11. Which one is the router (ie default gw) and where do you run ZT according to the picture?

Not me, but there’re icons on the diagram :wink:

Apart Rpi, I`ve also got several other devices. I cannot run ZeroTier on them.

I am running ZeroTier on both Windows PC. Laptop A and Laptop B.

You don’t need to run ZeroTier on multiple devices in your LAN, you need only one device in that role and RPi is a good candidate.

1 Like

@AndrewZ: Not me, but there’re icons on the diagram :wink:

Okay, got it! :slight_smile:

@Arielis:

Thus, if it’s just a matter of A-to-B on the same lan or the zt network it should be trivial. If those are Windows PCs be aware that the network profile for the zt interface in the firewall is usually defaults to public. This also assumes that “Core Networking Diagnostics - ICMP Echo Request” is enabled in the firewall.

However, if you wan’t ZeroTeri LAN communcations the same principle as points 1 and 2 still applies. Thus, if you want B and others on the ZeroTier network to be able to communcate to all nodes on the 192.128.1 LAN than add the following route to you main router:

“route add 10.147.17.0/24 dest 192.168.1.10”

And as AndrewZ pointed out, the PI is a good candiadate to run zt on.

Btw, Packet Forwarding must to be enabled on the zt-node acting as a zt router. If running Windows have a look at: “Ping other system out of ZeroTier IP

Ok, Ive just choose the Pi as an example of end devices Ive got. On the one I`ve got, I cannot install any software on them.

I can ping from Laptop B the Laptop A Zerotier IP addresse.

I`ve added the route and destination of both networks

I`ve enabled Packet Forwarding on both Laptop

I`ve allowed the Core Network Diagnostics in the Firewall

if it`s possible to achieve this, it must be another parameter forgotten.

As I have mentioned, Ive got another site with a similar configuration, althought that instead putting a unmanaged switch, Ive put a RUT 950 router.

I have installed the ZeroTier on the router and connected the RUT950 to a wireless router as a client. What I do not get is I can`t see this router in the list of members in ZeroTier Central, so this router does not seem to share the internet connection to ZeroTier VPN. Have you had this before?

As I can ping the ZeroTier IP address between the laptops, is there any other tests I can do? Knowing I can`t still ping the 192.168.1.11…

If the goal is to establish communication between two different LANs (subnets), both A and B must be included under “Managed Routes”, both subnet routes added for the oppsite LAN in the default gateway, etc.

Feel free to draw a new picture with ip addresses of all said nodes inc type of OS, subnets of the LANs and default gateways to make it easier to understand what you want to achieve in more detail. You can make it easy by drawing it on paper and attach a photo of it.

Ok, Ill draw another picture.

Both laptops are about 200km away. The Rpi got a webbrowser. My goal is to use the laptop B to access the webpage of the Rpi. I`ll also use the laptop B to configure the devices like Rpi.

Is there a reason why you can’t install ZeroTier on the RPi (192.168.1.11) as well?

I mean, that would prabably be the easeast way since you don’t have to any routing at all and just connect directly to the ZeroTier address of the RPi from B.

I choose the RPi as an example as I could not find any other alternatives to explain the type of devices I am trying to connect to: Here is a link https://www.neptronic.com/controls/Fancoils.aspx

There is no way to install ZeroTier on those devices. They all got an IP address and are configured in the range of 192.168.1.x.

1 Like

Ok, now I understand the reason why to fix routing for the whole 192.168.1 via ZeroTier. Some questions:

  1. Is the size of subnet /24?
  2. What type of router do you use as the default gateway (gw)?
  3. IP of gw?
  4. Can you provide the routing table of the gw?
  5. You are running some kind of Windows version on A, correct?
  6. Please provide output from the following PoweShell command on node A: Get-NetIPInterface | ft InterfaceIndex, InterfaceAlias, AddressFamily, ConnectionState, Forwarding
  7. What is the ZeroTier addresses of A and B?
  8. Can you ping the ZeroTier address of node B from A?
  9. Can you ping the ZeroTier address of node A from B?
  10. Can you ping 192.168.1.11 from A?
  11. Can you ping the local address (192.168.1.10) of A from any another node on the same network?
  12. Can you ping the ZeroTier address of A from any another node on the same network?
  13. If you can’t ping any of them, please provide output from A and B using the following powershell command: Get-NetFirewallRule -DisplayName "*ICMP Echo Request*" | ft DisplayName, Enabled, Profile, Direction, Action

I just realized I missed this post regarding the RUT950 solution.

I’ve several different networks, both at work and at my home office where I run a Mikrotik RB3011 with built-in ZT similar to your solution with the RUT950. Also, I have a completely independent lab network where I run ZT and other similar solutions in both Linux containers and various Windows versions using Hyper-V, for example ZT on Win10 as in your first post.

Btw, I like the Teltonika product line and we’ve used many of them in customer projects.

As for ZeroTier Central, every node connecting to the ZeroTier network needs to be authenticated unless it’s a Public ZeroTier network, so in your case you should definitely be able to see the RUT950 somewhere. Maybe it was hidden by mistake (happened to me a few times)

As a precaution, you could add an additional ip or a virtual network adapter using separate ZT management network (WG/TS works too) if things goes south to avoid having to travel there just for a “ctl-alt-del”. TeamViewer and similar solutions are also an option.

Hi,

Many thanks, I am working on your previous reply and will send an update soon.

Just to clarify the network with the RUT950 is a second network Ive got. I agree that every note connecting to ZeroTier network needs to be authenticated. As I cannot see it on my ZT network, I wonder if its because I am using the wifi to connect the RUT950 to internet and I`ve got a firewall blocking access. I just cannot find the setting to modify.

Thanks

The fact that connecting using wifi itself shouldn’t matter at all. However, if you are able to see the RUT950 using ’$ zerotier-cli peers’ but not in the controller (my.zerotier.com) it could possibly be due to some kind of fw rule that block access but it is hard to tell using only a screenshot.