Hi guys,

following situation:

hAP ax lite LTE in default config, internet via LTE is fine.
ZeroTier package installed, configured, working fine.
In order not needing to frickle around with firewall rules, I added interface 'zerotier' to Interfaces - LAN list
Access to local subnet 192.168.88.0/24 (and all devices there) is working fine - as static route for that configured in ZeroTier web management.
So far - so good.

Now I deleted eth1 from existing bridge, set it to DHCP (via DHCP Client) and it got 192.168.2.10/24 assigned (second local subnet).
In order not needing to frickle around with firewall rules, I added interface 'eth1' to Interfaces - LAN list as well.
Static route in ZeroTier web management configured as well to 192.168.2.0/24 via ZeroTier IP of hAP LTE.

But it seems one thing I am missing as I cannot get from ZeroTier to 192.168.2.0/24 (eth1 only).

From within ROS 7.12RC4 itself it works of course, PING from 192.168.88.1 to 192.168.2.10 works fine.
Firewall rules - touched nothing here
NAT - touched nothing here (default masquerading srcnat to WAN is there)
Static routes - touched nothing here (DHCP of eth1 added the required route)
Interface-lists look good to me

Can someone give me a hint please?
Thank you.

edit - seem this was already done: You need to add 192.168.2.0/24 as a route on https:///my.zerotier.com web portal for the ZeroTier network, with it's destination being the ZeroTier address of your Mikrotik.

You'd likely also want to change the default-route-distance of the zt1 instance on the router to something > 1 (say 10). The ZeroTier define route get added as routes automatically/dyamically with the default-route-distance – and 192.168.2.0/24 subnet is added also dynamically as route via DHCP Client with a distance of 1. This creates an odd sitution where that network gets load balanced.

Thanks Amm0.

Yes - ZeroTier web portal had already been done.
I did as you said - changed zt1 route distance from 1 to 10.
Rebooted.
But still no luck.

As you said - I can see ZT routes now with a distance of 10 being added to routing table.
Dynamically added eth1 with 192.168.2.0/24 is still on distance 0 - this should be fine now.

Any further hint maybe?

Might want to post a sanitized config. e.g. Is ZeroTier interface ("zerotier1") also in the LAN interface group, along with ether1 and bridge?

I'd say I did this all:

/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge protocol-mode=none
/interface ethernet set [ find default-name=ether1 ] name=eth1
/interface ethernet set [ find default-name=ether2 ] name=eth2
/interface ethernet set [ find default-name=ether3 ] name=eth3
/interface ethernet set [ find default-name=ether4 ] name=eth4
/interface wifiwave2 set [ find default-name=wifi1 ] name=wifi ...
/interface list add name=WAN
/interface list add name=LAN
/interface lte set [ find default-name=lte1 ] allow-roaming=yes apn-profiles=default band="" name=lte
/ip pool add name=pool ranges=192.168.88.100-192.168.88.199
/ip dhcp-server add address-pool=pool interface=bridge lease-time=15m name=dhcp
/zerotier set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" name=zt1 port=9993
/zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier network=xxx
/interface bridge port add bridge=bridge interface=eth2
/interface bridge port add bridge=bridge interface=eth3
/interface bridge port add bridge=bridge interface=eth4
/interface bridge port add bridge=bridge interface=wifi
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes
/interface detect-internet set internet-interface-list=WAN
/interface list member add interface=bridge list=LAN
/interface list member add interface=lte list=WAN
/interface list member add interface=zerotier list=LAN
/interface list member add interface=eth1 list=LAN
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client add add-default-route=no interface=eth1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

The eth1 network (from DHCP client) likely has no route back to the ZeroTier subnet (or 192.168.88.0/24). So your ping is likely getting to 192.168.2.0/24, but clients within that subnet have no idea of the route back via your Mikrotik (e.g. 192.168.2.0/24 client devices use that network's default gateway, which isn't your Mikrotik with ZT).

Two choices:
1. on the router that's the default for the 192.168.2.0 network, add a static route for the ZT subnet and 192.168.88.0/24.
2. add a /ip/firewall/nat rule either src-nat+masquerade for src interface of zerotier1 (or NAT masquerade rule on the 192.168.2.0/24 network be similar approach)

Sounds logic to me.

As I have no access to 192.168.2.0/24 router or any kind of configuration - only option 2a is left
"add a /ip/firewall/nat rule src-nat+masquerade for src interface of zerotier1"
I have issues understanding your wording "src interface of zerotier"
Can you kindly give me a proper command for what you mean?
/ip firewall nat add action=masquerade chain=srcnat [...]

Yeah I'm always hesitant to give exact command since never know what someone wants (and I forget the syntax without tab completion – "out-interface" is what I should have said)
It probably make most sense to do it on the eth1, so should be:
notes:
- the place-before=0 just means "put it at top" of the other rules
- using eth1 since that's point where you do NOT control the routes – if you control the routing table...adding new routes is always better than masquerading.

Ah okay, I've tried this before but also no luck.


I still cannot ping anything on 192.168.2.0/24 coming out of my ZeroTier network.

Moment - this is weird.

Strange, Can you access anything on the 192.168.2.0/24 network from your ZeroTier client? Windows boxes often block ping, so if that's what your testing, that could be problem.

From ZeroTier client, can you ping the Mirkotik's 192.168.2.10 address?

I took another Windows laptop which has a ZT client installed.
Connected to the same ZT network, checked managed routes there, all fine - et voilà - working!
For test purposes I quickly disabled your NAT rule - no more working.
Enabling again - working

Why I said "weird":
I was on a different laptop before, which goes to internet via an RB5009 which also has ZT installed and configured properly (I was hoping).
It is still not working from behind this RB5009...
Default ZT config of RB5009:
/zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier network=xxx
All other ZT related configs and stuff are working fine - just not this access to 192.168.2.0/24
I didn't manage to find a ZT cli command to show received managed routes...

Okay I found the problem:
For whatever reason, my RB5009's ZT didn't get this specific (new) managed route 192.168.2.0/24 via [IP of ZT gw]
I've restarted zt1 instance on RB5009 and now he knows this route and all devices behind RB5009 can access 192.168.0.2/24

Big THANK YOU Amm0 for helping out beginners like me with a simple NAT rule
I really appreciate it.

What's ironic is ZeroTier is still one of the easiest VPNs to setup. It really does just mimic ethernet switch, so it's the IP routing (and/or NAT'ing) stuff where things get complex in any VPN.

The received routes from ZT would be shown in /ip/route/print (or netstat -r on other OSes). Now, I'm not sure why the received routes wouldn't just appear. Disabling/enabling the zt1 instance would also cause a refresh of the routes without a reboot. But also sometimes winbox isn't always great at refreshing routing too.