Question on using the Internal Zerotier Controller

NA9D · Sun Feb 02, 2025 5:30 pm

Hey all,

I'm experimenting with Zerotier and have been following the steps listed in the documentation at: https://help.mikrotik.com/docs/spaces/R ... Controller

I've successfully created a Zerotier connection using the Zerotier Central portal. I've also successfully created a connection using the controller example in the documentation. But I want to take it a step further.

First of all, in the documentation, they set up the network like this:

controller/add name=ZT-private instance=zt1 ip-range=172.27.27.10-172.27.27.20 private=yes routes=172.27.27.0/24

That's fine but the problem is, while I get access to anything in the 172.27.27.0/24 network, packets are not routed to my LAN. My LAN is at 192.168.0.0/23. On top of that, I have a second address space on VLANs using the 10.0.0.0/8 network.

The documentation states:

routes (IP@GW; Default: ) Push routes in the following format:
Routes ::= Route[,Routes]
Route ::= Dst[@Gw]

But it seems like if I try anything other than the example format of just the Zerotier address space, I get no IP address assigned. Something is broken. I've tried things like this:

controller/add name=ZT-Test instance=zt1 ip-range=172.27.10.30-172.27.10.40 private=yes routes=17.27.10.0/24,192.168.0.0/23,10.0.0.0/8

or

controller/add name=ZT-Test instance=zt1 ip-range=172.27.10.10-172.17.10.20 private=yes routes=172.27.10.0/24,0.0.0.0/0@172.27.10.11

or

controller/add name=ZT-Test instance=zt1 ip-range=172.27.10.10-172.17.10.20 private=yes routes=172.27.10.0/24,192.168.0.0/23@172.27.10.11,10.0.0.0/8@172.27.10.11

In all of these cases, I fail to get an IP addresses handed out...Obviously I am doing something incorrect.

Where am I going wrong?

Thanks!

Jon

Larsa · Sun Feb 02, 2025 11:28 pm

Well, to begin with, the documentation for the controller is a masterpiece of vagueness, to say the least.

Unfortunately, the people who wrote it forgot to include an example of how to add a route to a gateway. The only cryptic and inconsistent explanation you get is:

ZeroTier routing code

routes (IP@GW; Default: )  Push routes in the following format:
                            Routes ::= Route[,Routes]
                            Route ::= Dst[@Gw]

Let's say 172.27.27.11 is the ZeroTier address of the node that acts as the gateway to your LAN 192.168.0.0/23. Then you should write it exactly the way you did earlier ie 'routes = 192.168.0.0/23@172.27.27.11, ...' Also, make sure your firewall allows forwarding between the related subnets.

Are the clients able to connect to the ZT network, and how does the routing table look like?

NA9D · Mon Feb 03, 2025 1:32 am

When I set the config up like that, I don't get an IP Address assigned to the router's ZT client. Nothing gets assigned. I assumed I was doing something wrong.

As far as forwarding between subnets - not sure. I've got multiple subnets on the router already. I don't have an issue with those or when using a Wireguard VPN either. Is there another firewall config that is needed for ZT? I added the one shown in the ZT documentation.

lurker888 · Mon Feb 03, 2025 3:52 am

The guys at Mikrotik are various levels of user friendliness

. The given example is one such. Actually it is exact and not in the least vague. The given syntax in given in the so-called Backus-Naur form. (https://en.wikipedia.org/wiki/Backus%E2%80%93Naur_form)

I've used the controller and it works reliably and exactly as it should.

You probably have to go over the tutorial step-by-step. For example: is the client showing up? Is it's access restricted (a client has to be allowed into a private network) Is an address assigned to it on the controller side?

NA9D · Mon Feb 03, 2025 4:01 am

I have followed the tutorial exactly. When I enter the steps exactly like they say and with the route example they use (and I've tried it with multiple different IP subnets) things work fine and the instance of the router is given an IP address. It's when I try to add the extra routes that I get zero IP addresses handed out. I'm more than happy to post a transcript of my terminal session...

NA9D · Mon Feb 03, 2025 4:08 am

Here's an example of one of my attempts at this. Excuse some of the typos in the terminal session! In this case, I tried to add a global 0.0.0.0/0 route to the 172.27.10.11 address.

[admin@MikroTik] /zerotier> controller/add name=ZT-NA9D instance=zt1 ip-range=172.27.10.10-172.17.10.20 private=yes routes=172.27.10.0/24,0.0.0.0/0@172.27.10.11 
[admin@MikroTik] /zerotier> controller/print
Flags: I - INACTIVE
Columns: INSTANCE, NAME, PRIVATE
#   INSTANCE  NAME     PRIVATE
0 I zt1       ZT-NA9D  yes    
[admin@MikroTik] /zerotier> controller/print
Flags: I - INACTIVE
Columns: INSTANCE, NAME, PRIVATE
#   INSTANCE  NAME     PRIVATE
0 I zt1       ZT-NA9D  yes    
[admin@MikroTik] /zerotier> controller/print
Columns: INSTANCE, NAME, NETWORK, PRIVATE
# INSTANCE  NAME     NETWORK           PRIVATE
0 zt1       ZT-NA9D  5fb30d356dc2cd47  yes    
[admin@MikroTik] /zerotier> interface/add network=5fb30d356dc2cd47 name=NA9DNET instance=zt1
[admin@MikroTik] /zerotier> print interval=1
Flags: R - ONLINE; F - TCP-FALLBACK
Columns: NAME, PORT
#    NAME  PORT
;;; ZeroTier Central controller - https://my.zerotier.com/
0 RF zt1   9993

[admin@MikroTik] /zerotier> interface/print interval=1
Columns: NAME, MAC-ADDRESS, NETWORK, STATUS
# NAME     MAC-ADDRESS        NETWORK           STATUS       
0 NA9DNET  46:92:71:60:00:60  5fb30d356dc2cd47  ACCESS_DENIED

[admin@MikroTik] /zerotier> controller/member/print
Columns: NETWORK, ZT-ADDRESS
#  NETWORK  ZT-ADDRESS
0  ZT-NA9D  5fb30d356d
[admin@MikroTik] /zerotier> controller/member/set 0 authroized=yes
expected end of command (line 1 column 25)
[admin@MikroTik] /zerotier> controller/member/print               
Columns: NETWORK, ZT-ADDRESS
#  NETWORK  ZT-ADDRESS
0  ZT-NA9D  5fb30d356d
[admin@MikroTik] /zerotier> controller/member/set 0 authorized=yes
[admin@MikroTik] /zerotier> /ip/address/print where interface~"Zero" 

[admin@MikroTik] /zerotier> /ip/address/print where interface~"Zero"

[admin@MikroTik] /zerotier> /ip/address/print where interface~"Zero"

lurker888 · Mon Feb 03, 2025 4:18 am

Excuse some of the typos in the terminal session! In this case

I demand that you smash one of our fingers with a claw hammer mob-style.

[admin@MikroTik] /zerotier> interface/print interval=1
Columns: NAME, MAC-ADDRESS, NETWORK, STATUS
# NAME     MAC-ADDRESS        NETWORK           STATUS       
0 NA9DNET  46:92:71:60:00:60  5fb30d356dc2cd47  ACCESS_DENIED

There's your answer: ACCESS_DENIED clients, are, well, denied access. You have to (on the controller configuration) print out the members, and set the client to be allowed to join.

NA9D · Mon Feb 03, 2025 4:24 am

No. I did. That's one of the steps. When you first add the network you are denied. But then you add it:

Columns: NAME, MAC-ADDRESS, NETWORK, STATUS
# NAME     MAC-ADDRESS        NETWORK           STATUS       
0 NA9DNET  46:92:71:60:00:60  5fb30d356dc2cd47  ACCESS_DENIED

So yes. Here is it access denied. Now you go and list the members under the controller and then authorize the correct one..

[admin@MikroTik] /zerotier> controller/member/print               
Columns: NETWORK, ZT-ADDRESS
#  NETWORK  ZT-ADDRESS
0  ZT-NA9D  5fb30d356d
[admin@MikroTik] /zerotier> controller/member/set 0 authorized=yes

There. Now it is authorized. So I should get an IP address, but I don't...

[admin@MikroTik] /zerotier> /ip/address/print where interface~"Zero"

I know this was going to trip you up.

lurker888 · Mon Feb 03, 2025 4:41 am

After authorization, you should see an ip address being assigned in the controller/member area. I don't know how frequently the client tries to reconnect; maybe you should try disabling/enabling the zt interface.

EDIT:
And in case you're adding this member as a gw of a route, you really would want to manually assign an ip address to it, similar to where you did authorized=yes.

Again, the documentation is at a minimum, but what is provided there is actually correct.

NA9D · Mon Feb 03, 2025 4:49 am

Well, that "client' is the router itself. My point is that when the extra routes are added, an IP address is never assigned. I'm happy to try it all over again for the tenth time. The IP address is assigned rapidly when using the example setup. So I don't think that it is taking a while.

Amm0 · Mon Feb 03, 2025 4:50 am

The guys at Mikrotik are various levels of user friendliness . The given example is one such. Actually it is exact and not in the least vague.

LOL, so true. But an short example wouldn't hurt... And the do check the BNF in docs exactly – include the [@Gw] – but what happens without a route destination is pretty unclear...

And they do seem to validate it, exactly, so you need a valid ip-prefix/ip6-prefix. But if you don't include the @ route part, that is accepted although unclear what happens.

What I love is they do resolve a classFULL shortcut as prefix, just like everywhere else in CLI, but boy some typo in an classless IP most folks won't expect it:

/zerotier/controller
# as array
set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1")
# or as string
set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1"
# both forms work - so routes US military and Apple IPs to a ZT member at 10.1.1.1
# & resolve the 2.0 into 2.0.0.0, so that consistent at least (although still questionable in my book)
:put [get [find] routes]
2.0.0.0/8@10.1.1.1;17.0.0.0/8@10.1.1.1

NA9D · Mon Feb 03, 2025 4:57 am

/zerotier/controller
# as array
set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1")
# or as string
set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1"
# both forms work - so routes US military and Apple IPs to a ZT member at 10.1.1.1
# & resolve the 2.0 into 2.0.0.0, so that consistent at least (although still questionable in my book)
:put [get [find] routes]
2.0.0.0/8@10.1.1.1;17.0.0.0/8@10.1.1.1

Oh- so you can come back after the fact and add the routes? That was what I wasn't sure how to do.

So you would use

zerotier/controller/set [find] routes = "10.0.0.0/8@172.27.10.2"

Like that?

I'm a little confused by the "[find]" in the command. What is that for?

lurker888 · Mon Feb 03, 2025 5:12 am

For me everything works just fine.

Commands:

/zerotier/controller/set 0 private=yes ip-range=172.30.30.100-172.30.30.100 routes=172.30.30.0/24,0.0.0.0/0@172.30.30.1
/zerotier/controller/member/set 0 authorized=yes ip-address=172.30.30.1

Afterwards:

> /zerotier/controller/member/print
Flags: A - AUTHORIZED
Columns: NETWORK, ZT-ADDRESS, IP-ADDRESS
#    NETWORK  ZT-ADDRESS  IP-ADDRESS 
0 A  tst      23221c3302  172.30.30.1

> /ip/address/print
Flags: I - INVALID; D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#    ADDRESS            NETWORK        INTERFACE            
[...]
8  D 172.30.30.1/24     172.30.30.0    zerotier1

> /ip/route/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY                DISTANCE
[...]
  DAc 172.30.30.0/24    zerotier1                     0
[...]

I didn't set "allow default" in the zerotier interface config, that's why the default route is not added.

This all seems quite fine to me.

NA9D · Mon Feb 03, 2025 5:14 am

Hmm.

OK. Interesting...I'll try it again...

Could it be that since you are specifying a specific gateway IP address in the ZeroTier subnet that the router doesn't do a DHCP assignment but instead is expecting a fixed IP?

NA9D · Mon Feb 03, 2025 5:25 am

Wait a minute...

Looking at your entries:

/zerotier/controller/set 0 private=yes ip-range=172.30.30.100-172.30.30.100 routes=172.30.30.0/24,0.0.0.0/0@172.30.30.1
/zerotier/controller/member/set 0 authorized=yes ip-address=172.30.30.1

You set the IP address of the router OUTSIDE of the IP address range specified for the ZT network. Is that allowed?

lurker888 · Mon Feb 03, 2025 5:29 am

DHCP in never used in ZT. It is explicitly filtered in all ZT networks. (It's part of the "source" distribution for all zt clients. The desginers thought that it would be a security threat when joining networks run by people you don't really trust. Many people use ZT to for example run Minecraft servers for ad-hoc groups of people.)

All addresses are assigned by the controller. If unspecified, one from the ip-range is assigned.

EDIT:
Yes, you can give out any address you want. The ip-range is for automatic assignment.

NA9D · Mon Feb 03, 2025 5:37 am

HEY! That worked!!!! WOOT!

Lurker888 thank you once again. And thanks to the others here as well. Looks like the key is that if you specify additional routes with a gateway address, you MUST assign that gateway address to whatever member is functioning as the gateway - it takes a static assignment. It makes sense too. The docs just had no example about that so it wasn't clear...

lurker888 · Mon Feb 03, 2025 5:52 am

Glad it works.

But your explanation is off. (Using the same config.) If I delete the member, rejoin, and don't give it an explicit IP address assignment, I get:

 > /zerotier/controller/member/print
Flags: A - AUTHORIZED
Columns: NETWORK, ZT-ADDRESS, IP-ADDRESS
#    NETWORK  ZT-ADDRESS  IP-ADDRESS   
0 A  tst      23221c3302  172.30.30.100

/ip/address/print
Flags: I - INVALID; D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#    ADDRESS            NETWORK        INTERFACE                           
[...]
8  D 172.30.30.100/24   172.30.30.0    zerotier1

/ip/route/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY                DISTANCE
[...]
  DAc 172.30.30.0/24    zerotier1                     0
[...]

So it's assigned the first address in the automatically assigned range.

Of course with this setup, the default route - if it was accepted - couldn't be resolved. That's why it's natural to give a fixed IP to something used as a gateway... But it still works as it should.

Something else was off. We may never know exactly.

NA9D · Mon Feb 03, 2025 5:53 am

OK. Strange. I'll try creating another network and seeing if I can duplicate my problem...

lurker888 · Mon Feb 03, 2025 5:58 am

Just an unrelated note: If you have a routable WAN address (even if dynamic), you should open port 9993/udp for the ZeroTier service. This enables other clients on the network (even if they are behind NAT) to make a direct connection and not have to use relays. You should especially open this port if your device functions as a controller for a network.

NA9D · Mon Feb 03, 2025 6:07 am

First of all - thanks for the tip on opening the port on the router. Open on the WAN side - yes?

I just tried it again this time w/o entering the address and yeah, it worked - assigned an IP. OK. I have no idea where the cockpit error was. Oh well.

lurker888 · Mon Feb 03, 2025 6:19 am

First of all - thanks for the tip on opening the port on the router. Open on the WAN side - yes?

Yeah. Well, actually I mean from everywhere, so in the input chain without additional filters. (The reason being that it's not uncommon to have a zt connection from inside your own network. In this case ZT will discover that you're actually on a common LAN and send traffic directly, but still encrypted/authenticated. Although this is not your current use case, actually this happens quite a lot, because many people use zt for access to the management network/vlan of their devices, because once it's configured correctly, why not use it for access control even internally.)

I just tried it again this time w/o entering the address and yeah, it worked - assigned an IP. OK. I have no idea where the cockpit error was. Oh well.

It may be some bug. It's quite common to see them discovered when someone is configuring something for the first time, because they do a lot of bad or unexpected thinks, and try so repeatedly.

Amm0 · Mon Feb 03, 2025 6:27 am

FWIW, I do have a test script I've used before to enable the controller. I changed it to more closely match mikrotik instructions.

You should be able to cut-and-paste to /system/script, then run the system script. That will output the current ZT configuration things.

To setup a new fresh controller, you'd /system/script run <script_name> at CLI. Then use
[me@forum]> $ztcontroller make

Or to remove the controller setup, like in a test environment...
[me@forum]> $ztcontroller clean

To print the controller setup again, use
[me@forum]> $ztcontroller print

Not entirely the best script, but I recall there being some timing issue if you try to run the comment to close together. So maybe why folks see some oddities there.

:global ztcontroller do={
    :if ($1 = "make") do={
        :put "check zerotier instance 'zt1' is enabled"
        /zerotier
        :if ([:len [/zerotier/find]] != 1) do={:error "error - zerotier instance is not enabled"}
        :local ztinstance [find]

        :put "adding new controller..."
        /zerotier/controller
        :if ([:len [find]]>0) do={:error "error - already controller"}
        :local ztcid [add name="ztc1" instance=$ztinstance ip-range=172.27.27.10-172.27.27.20 private=yes routes=172.27.27.0/24]
        :local ztnetworkid [get $ztcid network]

        :put "adding routeros interface for itself to controller..."
        :delay 5s
        /zerotier/interface
        :local ztifaceid [add network=$ztnetworkid name="ztc-router" instance=$ztinstance]
        
        :put "authorizing interface to access controller (please wait)"
        :delay 5s
        /zerotier/controller/member
        set [find authorized=no] authorized=yes
    }
    :if ($1 = "clean") do={
        /zerotier enable [find disabled] 
        /zerotier/interface remove [find name="ztc-router"]
        /zerotier/controller remove [find] 
        /zerotier/controller/member remove [find]
    }
    :if ($1 = "print") do={
        /zerotier
        :put "\tINSTANCE"
        print detail
        :put "\tCONTROLLER"
        controller/print detail
        :put "\tLOCAL CONTROLLER MEMBERS"
        controller/member/print detail
        :put "\tINTERFACE TO ROUTER"
        interface/print detail where name="ztc-router"
        :put "\tINTERFACE IP ADDRESS"
        /ip/address/print where interface="ztc-router"
        :put "\tZEROTIER ROUTES"
        /ip/route/print where dynamic gateway="ztc-router"
    }
}

# to setup a new one, use "make" as argument & uncomment below

# $ztcontroller make

# to remove the controller, use "clean" in above instead of "make"

# always output when run
$ztcontroller print

And also I do recall oddities if you try "setup again", without actually removing all the members or instance that used it. Or something like that. Why there is script to remove it too, and setup was automated...

Amm0 · Mon Feb 03, 2025 6:44 am

Code: Select all
/zerotier/controller
# as array
set [find] routes=("2.0/24@10.1.1.1","17.0/8@10.1.1.1")
# or as string
set [find] routes="2.0/8@10.1.1.1,17.0/8@10.1.1.1"
# both forms work - so routes US military and Apple IPs to a ZT member at 10.1.1.1
# & resolve the 2.0 into 2.0.0.0, so that consistent at least (although still questionable in my book)
:put [get [find] routes]
2.0.0.0/8@10.1.1.1;17.0.0.0/8@10.1.1.1
Oh- so you can come back after the fact and add the routes? That was what I wasn't sure how to do.

So you would use
Code: Select all
zerotier/controller/set [find] routes = "10.0.0.0/8@172.27.10.2"
Like that?

I'm a little confused by the "[find]" in the command. What is that for?

Yup you can use that to update the routes later.

on [find]... All configuration has some .id (like with a * shown with "print show-ids"), and find will lookup those .id for something. The reason to do this is since someone may cut-and-paste something here and change the name from "zt1" or may already have a "zerotier1", etc. Since you should have only one of these things, the [find] will get the one item whatever it's named. But a plain [find] mean "all items" (and you can use it filter the items returned too – here I'm lazy since there is only one item)

Also, I dug up the script since I wasn't sure what happened without the destination part (i.e. @172.27.10.2 syntax). What happen WITHOUT the @ part is RouterOS will add an interface route, so it will use the dynamically assigned IP. Thus ip-address was technically not needed when you do NOT use the @172... on the routes.

Personally, I think it's better to set ip-address, so the router gets a fixed address & docs should discuss and show using ip-address - your setting up a NEW network and RouterOS is likely to be the default route so example should set it to .1. But, as technical point, their instructions as-is do work.

lurker888 · Mon Feb 03, 2025 7:17 am

Personally, I think it's better to set ip-address, so the router gets a fixed address & docs should discuss and show using ip-address - your setting up a NEW network and RouterOS is likely to be the default route so example should set it to .1. But, as technical point, their instructions as-is do work.

I think Mikrotik generally has a good *reference* documentation. I also think that it would actually mean increased sales for them if they provided a handbook style documentation as well, that would walk people through creating their first networks, vlans, etc. About 90% of the questions on this forum are about the same 10 topics, so discussing these at length, with examples (and yes, educating the reader in basic concepts regarding networking in the mean time) would be welcome by many.

EDIT:
For example I walked NA9D through some basic first steps with his router, such as: how to update software (yes, you have to update routerboot separately...), how to install packages, partition the device, create exports/backups, what the difference is, device-mode, to lock the rb5009 to a fixed cpu frequency... And there really is no piece documentation that would discuss this is an article, and I really think there should be one. These are basically steps that everyone has to go through before they can make effective use of their deivces.

Larsa · Mon Feb 03, 2025 12:47 pm

I completely agree, especially regarding the steps to establish a good baseline. All major players like as Cisco, Juniper, and others, provide clear guidelines for the initial setup. I mean, how hard can it be?

Regarding the handbook (I assume you're referring to a user guide), it's a great idea. It would also be beneficial if MT adopted the "Specification by Example" principle to ensure relevant examples are included in the online documentation. IMO, MikroTik should take a cue from Microsoft by allowing users to comment on documentation, which has significantly improved over time thanks to ongoing feedback.

As for cryptic and inconsistent explanations, I wasn't referring to the BNF notation itself but rather to the text in Property/Description, specifically: "IP@GW" → Route ::= "Dst[@Gw]" which also lacks further clarification beyond "Push routes in the following format:" A few examples in the "Description," similar to "ip6-range," would have been sufficient to clarify the syntax.

anav · Mon Feb 03, 2025 4:32 pm

Okay I had to read the docs to understand the use of the word controller. It would seem one can 'bypas' the zerotier site for setup and do it mostly on the mikrotik device.
Does this mean one is still using zerotier servers? How is information protected/encrypted using the controller?
Do you need a public IP address to run the controller.
Is this now the best way to provide any servers to external users ( no port exposure )

NA9D · Mon Feb 03, 2025 4:41 pm

The ZT servers are still in use. The docs mention this:

A common misunderstanding is to conflate network controllers with root servers (planet and moons). Root servers are connection facilitators that operate at the VL1 level. Network controllers are configuration managers and certificate authorities that belong to the VL2 level. Generally, root servers don’t join or control virtual networks and network controllers are not root servers, though it is possible to have a node do both.

The ZT site is easy to use but for more control and customization, using the controller in the Mikrotik router is way better for multiple reasons...

Amm0 · Mon Feb 03, 2025 6:05 pm

1000% agree on overall need for "non-reference manual" presentation in docs, whether "user guide"/"by examples"/KBs, whatever... just there is a void between the "per command" view today and how to setup & use the router.

On ZT controller docs...

The ZT servers are still in use. The docs mention this:

@anav, works same, so no public IP should be "required".

The big difference between WG config is that instead of the various keys and network needing to match like in WG... With ZeroTier (including your own controller) all the "client"/peers needs to know is the ONE /zerotier/controller's network= value. Unlike WG, authorization happens via RouterOS CLI — once the client tries to connect — you use /zerotier/controller/member commands above/docs to set "authorized=yes" on the "member" (of controller's managed network). There are really only two numbers, address of peer & [controller] network id. The client's address is provided when client tried to connect to a network, so client "zt-address" gets populated automatically by RouterOS, so you likely don't need to care as much about that one.

Still the docs should mention that you can "pre-authorize" a peer to use the Mikrotik controller, if the user provides their client's network address shown the ZeroTier client app. On Mac, if you select the "My Address" from the taskbar menu for ZeroTeirOne client, it will copy to clipboard. Then to use the client's address to create a peer - before it connects, so it be authorized when it does, you can use the following:

:global clientztaddress "1fcfake1b8"
/zerotier/controller/member/add zt-address=$clientztaddress authorized=yes name=mymaczerotier disabled=no network=[../find disabled=no]    
:put "In ZeroTier client, use 'Join' with network of: $[[/zerotier/controller/get [/zerotier/controller/find disabled=no] network]]"

In ZeroTier client, use 'Join' with network of: 847fake01fakecad

And the on Mac (or PC), to connect to that network, you need the "network id" for it. That in /zerotier/controller/print, but you can use above :put to display.

The other detail docs could mention is the name to use in the /zerotier/controller's name= is what is displayed to in all client apps as the "friendly name" of the network.

And also, that controller will automatically assign IP address to peers within the ip-range= (and on any "member"/peer you can set an ip-address= to make a particular peer act like "static DHCP"). You kinda have to infer that a bit too much from list of attributes.

The ZT site is easy to use but for more control and customization, using the controller in the Mikrotik router is way better for multiple reasons...

Control, yes. But I don't know about more customization. i.e. There are flow rules on their controller. And the CLI does take some time to get used if you normally use winbox (aka @anav) - since the controller does not have webfig/winbox UI.

Just highlight, once again, an grip of mine is the Mikrotik's ZT client does not support low-bandwidth, bonding, etc. as a "full" ZT client on PC/Mac does. And these restrictions still come in when using the controller, as traffic will go via the interface, not controller.

Larsa · Mon Feb 03, 2025 6:23 pm

@NA9D - Unfortunately, you're still a bit limited when it comes to running fully autonomous operations since ROS doesn't let you configure root servers.

But with your own ZeroTier controller and ZeroUI, you not only get a slick web interface, but you also have full control over network rules, authentication, API access, and automation without restrictions. And you get better privacy and security too if that’s important to you.

anav · Mon Feb 03, 2025 6:27 pm

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually. Will stick to non-self-controller option especially since the benefit is tied to using a third party git program which also has to be loaded onto docker??

Larsa · Mon Feb 03, 2025 6:27 pm

Just highlight, once again, an grip of mine is the Mikrotik's ZT client does not support low-bandwidth, bonding, etc. as a "full" ZT client on PC/Mac does. And these restrictions still come in when using the controller, as traffic will go via the interface, not controller.

Yeah, unfortunately. Guess we can always hope that MT fixes this someday.

Larsa · Mon Feb 03, 2025 6:30 pm

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually.

Way too complex, so I don’t think so. But you can add your own web-based manager: ZeroUI.

Amm0 · Mon Feb 03, 2025 6:40 pm

Well, I'm actually surprised it's not in the UI.

AFAIK, winbox/webfig UI is, mostly, automatic from the schema. And the current implementation of the controller only let you set only half dozen attributes & all are pretty "regular" from RouterOS schema. Perhaps other than our BNF friend routes=, but even with that winbox should know it's array type and do multiple dropdowns with strings.

I do suspect the CLI-only-ness of the controller substantially limits its usage on RouterOS. That, and the applications of /zerotier/controller are not well described in docs (i.e. using ZeroTier "roots" for hole-punching, but you can mange the users on RouterOS (instead of at my.zerotier.com)... so its actually becomes kinda like BTH)

@NA9D - Unfortunately, you're still a bit limited when it comes to running fully autonomous operations since ROS doesn't let you configure root servers.

And, that also why a public IP shouldn't be required when using /zerotier/controller to manager your own peers as asked by @anav

. Although, of course, it be more reliable if you did have public IP (and ZT port explicitly opened to WAN).

anav · Mon Feb 03, 2025 6:51 pm

The most practical application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc.
Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files..........

Amm0 · Mon Feb 03, 2025 7:05 pm

The most practical application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc.
Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files..........

For that the normal ZT method be fine IMO. The client setup is trivial, you give your family member they install ZeroTierOne, click "Join Network", and use a "Network ID" that you've given them. The client actually does not care if you're using your own controller, or ZeroTier's cloud one - it still be some globally unique network ID.

I guess we're past Christmas... but buying your familar members a @anav-configured hAPaxLite to put on their remote LAN network side would allow you test the variety of VPNs you've explored over the years for this use case

. You'd start with WG I'd imagine on these gifted hAPaxLite connected to your (old?) Tile router as the family "hub" & suspect you can add disks to your Tile and the ROSE package to do a NAS.... Once you had WG on it, you can always add other VPNs to your ginny pig family members.

Larsa · Mon Feb 03, 2025 7:07 pm

@anav - If I were you, I'd ditch the self-hosted controller and just use the cloud-based one (my.zerotier.com). Regarding your files, just: "# chmod +r *". Fixed!

anav · Mon Feb 03, 2025 8:11 pm

Larsa, are you trying to talk sexy at me "# chmod +r *". ??
Sounds like, if was to guess, some linux NAS command to ensure read only LOL.
Ammo, sounds like too much recent smoke inhalation has impaired your judgment of what I am able to accomplish ( or my budget ).
I am starting a go fund me ( Low Canadian Dollar Fund ) to help defray the increasing cost of MT products.
Perhaps if we joined the EU..................... Nahhh, then we would have to help pay Spain and Greek Debt

)

Larsa · Mon Feb 03, 2025 8:18 pm

Haha, Anav, I see you're out here securing your files and your finances at the same time!

Maybe if we tweak that command a bit:

# chmod +Money

Boom! Instant economic growth!

As for joining the EU... yeah, I think Canada prefers its maple syrup debts over Mediterranean siestas. But hey, if your GoFundMe takes off, maybe you can single-handedly peg the CAD to the Euro!

And btw, Greece’s economy is actually doing better than ever: https://observer.com/2024/11/germanys-e ... -comeback/

Amm0 · Mon Feb 03, 2025 8:57 pm

Perhaps if we joined the EU.....................

My question is how that work with frequency bands... Currently, Canada largely the FCC rules. For Wi-Fi, that likely better. For 5G/LTE with Mikrotik, you may be better off with EU rules... That lovely hAPaxLite-LTE6 is quite affordable but worthless in Canada (and US).

anav · Tue Feb 04, 2025 12:32 am

Perhaps turning off electrical power to NY state just before superbowl starts would send the right message LOL.
But I agree, there are some EU funny rules that are not so easy to overcome, but hey, anything is better than orange farts.

By the way, who blinked first game seems to have started one month delay LOL............