SUCCESS
After a lot of iptables partially-educated throwing and seeing what stick and allow connecting from a remote site (while monitoring the firewall log and tcpdump on two other terminals), these commands worked late saturday night:
# As per instructions from ZT KB at https://tinyurl.com/yhqae9wu :
IFzt=ztklh2unun
IFlocal=br0
iptables -t nat -A POSTROUTING -o $IFlocal -j MASQUERADE
iptables -A FORWARD -i $IFlocal -o $IFzt -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $IFzt -o $IFlocal -j ACCEPT
# As per your suggestion, pending delete just so see it's needed:
ifconfig ztklh2unun arp
ifconfig ztklh2unun trailers
# Had to put this first to avoid having a logdrop before it
iptables -I INPUT 1 -i ztklh2unun -j ACCEPT
Sunday mornig I found that connections were lost, but I soon realized that it was caused by the rules getting erased by the router’s scheduled 4AM reboot. Having kept notes and command history copied to the flash drive every 5 minutes, I was able to clean the commands I issued the night before and put them on the firewall script. Then I tested by manually rebooting and the connectivity returned. The scheduled reboot was performed this monday morning and the connectivity is still there.
I can connect to my LAN non-ZT devices by FQDN and by IP., and am planning to uninstall ZT on the rest of the LAN.
PENDING:
- Check if the
ifconfig ztklh2unun arp and trailers commands are needed
- Take a look at openVPN according to your suggestion
- Take a look at packetriot.com according to a friend’s suggestion
- Find out why some remote devices don’t get my LAN DNS
- Find out why I can get to the router’s web interface from ZT by its LAN IP but not by its ZT IP
Many thanks for all your help and patience!!
UPDATE:
Just commented out the ifconfig ztklh2unun arp and ifconfig ztklh2unun trailers lines, rebooted, and lost connection from an off-LAN ZT device to my non-ZT media server behind the ZT router.
I uncommented the ifconfig ztklh2unun arp line first and it came back up with the trailers still disabled.
So, ifconfig ztklh2unun arp stays and ifconfig ztklh2unun trailers gets deleted.
Sounds about right, since arp-ip resolution is needed in switches, and I read that “Trailer encapsulation is used in some older networking protocols, but it is not commonly used in modern networking technologies”
Remote devices did get my LAN DNS after a while and I’m able to connect to LAN devices by FQDN, so I guess it was just a matter of waiting.
Glad to finally hear that, and thanks for the extra iptables rules, I will try it on my own setup and see if it improves the performance. Still by my personal experience I would still have to say that OpenVPN is the better and easier choice to setup and implement, but to each his own. Just in case if anyone is interested here is the method. Get a free OpenVPN account at Cloud VPN Services | CloudConnexa, and make sure to select CloudConnexa, setup your network name than under Networks tab setup up a Connectors, this is the one you will be VPNing from, than under Hosts setup another Connectors, this is the one you will be VPNing to. Download both ovpn files, remember the Hosts Connector is the one that going to be put on the FT Router. After that just got to your FT router web interface than Admin Scripts Init and type | lsmod | grep -q “tun” || modprobe tun | and than type | Openvpn --config “yourovpnfile” & | that will make it run in the background on boot. Than Admin Scripts Firewall type | iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | and | iptables -A INPUT -i tun0 -p tcp --dport 22 -j ACCEPT | OpenVPN usually will have tun0 as the default interface setup automatically. Remember to also have IPv6 enabled. Also remember you don’t really need and ovpn file, it could be done just by copy and paste into the FT VPN tab under OpenVPN Client in the FT GUI, just copy paste a few parameters and the keys in the boxes there and check box enable on start and your DONE. Also just recently got myself another router and put OpenWRT on it, and ZT works way better on it than on FT. Highly recommended if you want a easy and stress free setup with Zerotier or Tailscale or Netbird etc, go for an OpenWRT compatible router instead.