Zerotierone: Best way to expose LAN network over Zerotier network.
Hi all,
I've been trying ZeroTier now for a few days. This is just brilliant and so simple to use.. I previously had configured a small cloud using DMVPN using the Quagga stack.. And the ZeroTier approach is just way simpler, so simple that it looks like sorcery :smile:
So I've setup ZeroTier on my openwrt router at home. It successfully connects to the network and from the router shell, I can ping every hosts defined in my ZeroTier network topology... But pinging from my computer does not work..
What I would like to achieve is advertise the LAN of my home over my ZeroTier network. From what I understood, zerotier seems to create host-to-host connection but not network-to-network connection.
The all idea would be to:
- access ZeroTier hosts within my home LAN network (without the need to configure zerotier on my laptop as it is already configured on the router).
- from any zerotier host, been able to ping every hosts on my LAN network.
I previously managed to get this working with my previous DMVPN stack using iBGP to advertise LAN route prefix on the different hosts, but I have no clue on how to do this with ZeroTier.
In my zerotier central, I try adding a static route to my home router ZeroTier address to advertise the LAN but the ping seems to chop with a protocol unreachable error:
22:27:42.179367 IP 10.147.20.1 > 192.168.2.110: ICMP echo request, id 20033, seq 1, length 64
22:27:42.179435 IP 10.147.20.29 > 10.147.20.1: ICMP 192.168.2.110 protocol 1 port 29247 unreachable, length 92
22:27:43.180790 IP 10.147.20.1 > 192.168.2.110: ICMP echo request, id 20033, seq 2, length 64
22:27:43.180849 IP 10.147.20.29 > 10.147.20.1: ICMP 192.168.2.110 protocol 1 port 567 unreachable, length 92
22:27:44.183919 IP 10.147.20.1 > 192.168.2.110: ICMP echo request, id 20033, seq 3, length 64
22:27:44.183970 IP 10.147.20.29 > 10.147.20.1: ICMP 192.168.2.110 protocol 1 port 31281 unreachable, length 92
22:27:45.185824 IP 10.147.20.1 > 192.168.2.110: ICMP echo request, id 20033, seq 4, length 64
22:27:45.185872 IP 10.147.20.29 > 10.147.20.1: ICMP 192.168.2.110 protocol 1 port 52777 unreachable, length 92
10.147.20.1 -> a node in the my zerotier network trying to ping a host within the LAN.
10.147.20.29 -> my router zerotier address.
192.168.2.110 -> my laptop which is with the LAN that I'm trying to ping.
This is probably a dumb question with I'm lacking of network knowledge to understand under the hood what is going on there.
Thanks in advance :)
lion24
All 15 comments
I'll just leave this link here ;)
glimberg
on 2 Jul 2018
Does laptop respond to pings? Unreachable could mean that firewall is rejecting ping. If it responds to pings, isnt packet forwarding restricted by firewall at your router (again, it might reject it by sending port unreachable)? For example, zt network might be considered to be WAN instead of LAN and inter-zone forwarding is definitely forbidden.
neVERberleRfellerER
on 3 Jul 2018
@glimberg I have read linked article and it is kinda strange. Why does it starts with 2 separate networks but then continues to bridge? Also it claims "we're going to join two adjacent Class C network block" but you do not need bridge for that - routing is standard tool for that. Most of the time, point of VPN L2 bridinging is, that you will get IP assigned by DHCP server from bridged network, why enable ZT IP assignemnet then?. If you have two networks, all is needed is to enable packet forwarding - no need for bridge. Also at the bottom it says "bridged together as one network", but that is confusing, as two networks were created: 10.99.4.0/24 and 10.99.5.0/24. It would work perfectly fine without bridge, just iwth 10.99.4.0/24 in managed routes
neVERberleRfellerER
on 3 Jul 2018
@neVERberleRfellerER You are my hero !! :heart_eyes:
Sorry for the delay. Indeed the zerotier interface was probably put by default in a zone were forwarding between this zone and the LAN was not authorized. Putting the ZeroTier interface into the LAN make the my whole ZeroTier network reachable directly from my different devices in the LAN and vice-versa :)
Thanks a bunch for this :)
Greetings.
lion24
on 4 Jul 2018
@glimberg Bridging could indeed be one of the solution I thought but this is not really needed here as a simple routed setup did the trick.
lion24
on 4 Jul 2018
Is there a similar article on setting up OPNsense for the same scenario? I need to be able to access hosts on LAN, being remotely connected to OPNsense firewall.
HighWatersDev
on 14 Jul 2018
@HighWatersDev You can also go for routed setup. You just have to make sure you have packet forwarding enabled on OPNsense (you do, otherwise it would be of no use in any sane scenario) and then add zerotier managed route: set network address of your LAN as destination (first field in zt central) and zerotier address of your OPNsense box as gateway (second field in zt central). Then allow communication between your two networks in firewall. That would be all.
neVERberleRfellerER
on 20 Aug 2018
Closing because it looks like lion24 has it solved.
Here's a quick description of how to do it, if anyone stops by
laduke
on 29 Aug 2018
One question: i have tried this configuration with opnsense in a virtualmachine and it works good. How to do the same thing without VM and using Windows 10 acting as router? Thank you!
graphixillusion
on 20 Mar 2019
@graphixillusion You probably just have to enable IP forwarding. A quick Google search brought me to https://superuser.com/a/1153511.
AndreKR
on 27 Feb 2020
One question: i have tried this configuration with opnsense in a virtualmachine and it works good. How to do the same thing without VM and using Windows 10 acting as router? Thank you!
Did you follow a guide or anything? I can not for the life of me get the opnsense VM I have to either bridge my LAN and zerotier network, or I am missing a route somewhere.
FDrebin
on 19 Mar 2020
Hey Y'all,
Following this as I'm trying to get zero tier to be seen by a software that can't see it so I'm trying to bridge, but this could be TOTALLY wrong,
this is what I did on the windows machine but, can't seem to get zerotier adapter to connect back up, is this what would be in the settings in zerotier central?
NET IP: 192.168.21.11
bridged IP: 192.168.31.11
If this is the wrong question for this thread feel free to let me know so I can find one more relevant for it!
Thanks for your time!
geese780
on 17 Apr 2020
Hello @geese780
I think you might need to allow ethernet bridging in your zerotier console. The ip will then be assigned to the bridge itself, but you need to ensure that both networks you are bridging are in the same subnet...
lion24
on 18 Apr 2020
Hey @lion24 !
Thanks for the response, sorry about the deley! Yea, so, what I gathered is that the software that I was wishing to first utilize ZT on does not read virtual NIC cards at all, somehow, but that's what I have come to the conclusion of. Oh well, things happen haha! I'm sure I'll be back to this once I get into the situation where it's needed again! Thanks again be safe and healthy!
geese780
on 20 Apr 2020
@geese780
Ok fine.
Thank you ! Be safe and take care too.
lion24
on 20 Apr 2020
Related issues
bstin
路
3Comments
MaskRay
路
4Comments
tim77
路
4Comments
AlexisTM
路
4Comments
leviacn
路
3Comments
Most helpful comment
Closing because it looks like lion24 has it solved.
Here's a quick description of how to do it, if anyone stops by
