Forward zerotier traffic to LAN

cblonde · Thu Aug 25, 2022 12:45 am

I've followed the Mikrotik directions to set up zerotier on my RB4011 and generally speaking it's working. Where I'm having trouble (I think?) is getting it to forward traffic to LAN IPs.

I can ping zerotier IPs from the RB4011. I can connect to the RB4011 remotely using zerotier. I can't ping anything on my home network behind the RB4011 from a zerotier IP.

I do have a route configured to let me ping the LAN IP of the router over zerotier - that works fine. It just doesn't seem to be forwarding traffic to other LAN IPs. I can see the traffic in torch, but it seems like it never arrives at the destination.

Config is as follows:
{Use proper formatting tag}

# model = RB4011iGS+5HacQ2HnD
/interface bridge
add admin-mac=B8:69:F4:C5:B1:65 auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 5785/20-eeCe/ac(27dBm)+5210/80(14dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80/160mhz-XXXXXXXX country=canada distance=indoors frequency=auto installation=indoor mode=ap-bridge radio-name=B869F4C5B16E ssid=MikroTik-C5B16E station-roaming=enabled \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2447/20-eC/gn(15dBm), SSID: XXXXXXXX, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=15 band=2ghz-onlyn channel-width=20/40mhz-XX country=canada distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-B54F72 station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# SSID: XXXXXXX2, CAPsMAN forwarding
add mac-address=BA:69:F4:B5:4F:72 master-interface=wlan2 mode=station name=wlan19 station-roaming=enabled
add mac-address=BA:69:F4:C5:B1:6E master-interface=wlan1 mode=station name=wlan20 station-roaming=enabled
/caps-man interface
add disabled=no l2mtu=1600 mac-address=B8:69:F4:C5:B1:6F master-interface=none name=cap1 radio-mac=B8:69:F4:C5:B1:6F radio-name=B869F4C5B16F
/caps-man configuration
add country=canada datapath.bridge=bridge mode=ap name="Basement DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge name="Basement DCC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any name="Garage DCC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any mode=ap name="Garage DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any name="Kitchen DCC" security.authentication-types=wpa-psk,wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any mode=ap name="Kitchen DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.200.100-192.168.200.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" identity="XXXXXXXX" name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=XXXXXXXX
/caps-man manager
set ca-certificate=CAPsMAN-CA-0A519F335A0E certificate=CAPsMAN-0A519F335A0E enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration="Basement DMPC" slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Basement 5GHz" master-configuration="Basement DMPC" name-format=identity radio-mac=B8:69:F4:C5:B1:6E slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Basement 2GHz" master-configuration="Basement DMPC" name-format=identity radio-mac=B8:69:F4:B5:4F:72 slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Garage 2Ghz" master-configuration="Garage DMPC" name-format=identity radio-mac=B8:69:F4:CF:F8:48 slave-configurations="Garage DCC"
add action=create-dynamic-enabled comment="Kitchen 5Ghz" master-configuration="Kitchen DMPC" name-format=identity radio-mac=B8:69:F4:D0:1B:E7 slave-configurations="Kitchen DCC"
add action=create-dynamic-enabled comment="Kitchen 2Ghz" master-configuration="Kitchen DMPC" name-format=identity radio-mac=B8:69:F4:D0:1B:E6 slave-configurations="Kitchen DCC"
add action=create-dynamic-enabled comment="Garage 5Ghz" master-configuration="Garage DMPC" name-format=identity radio-mac=B8:69:F4:CF:F8:49 slave-configurations="Garage DCC"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=*1 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=KitchenAP-1-1 list=LAN
add interface=zerotier1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 certificate=CAP-0A519F335A0E enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.200.1/24 comment=defconf interface=ether2 network=192.168.200.0
add address=192.168.201.1/24 interface=ether2 network=192.168.201.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
XXXXXXXX
/ip dhcp-server network
add address=192.168.200.0/24 comment=defconf dns-server=192.168.200.1 domain=XXXXXXXX gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
XXXXXXXX
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input disabled=yes in-interface=KitchenAP-1-1
add action=accept chain=forward disabled=yes in-interface=KitchenAP-1-1
add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=554 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=554
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=80
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=8000 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=8000
add action=dst-nat chain=dstnat comment="Forward 2022 to 22 for SSH Backup" dst-port=2022 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.140 to-ports=22
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system identity
set name=HouseAP
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
add address=ca.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add name=Reboot on-event="system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/20/2021 start-time=23:00:00
/system script
add dont-require-permissions=no name=XXXXXXX owner=XXXXXXX policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool wol interface=bridge mac=FC:AA:14:77:93:F5"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

zandhaas · Thu Aug 25, 2022 9:31 am

You have to add a "managed route" at the "my.zerotier.com" dashboard.

anav · Thu Aug 25, 2022 1:04 pm

https://help.mikrotik.com/docs/display/ROS/ZeroTier
viewtopic.php?t=183424

cblonde · Thu Aug 25, 2022 3:47 pm

You have to add a "managed route" at the "my.zerotier.com" dashboard.

I did this prior to posting here - it's 192.168.200.0/24 via 172.27.0.1 which I think is correct.

This part seems to work - I can ping a LAN IP from a zerotier IP and I see the traffic in torch on the router. It just doesn't make it to the destination

cblonde · Thu Aug 25, 2022 3:59 pm

https://help.mikrotik.com/docs/display/ROS/ZeroTier
viewtopic.php?t=183424

Thanks - this is a great document and I read through it a couple of times yesterday trying to figure out what I'm missing. I don't think my specific use case is covered though: I don't (?) need to bridge anything, I just want traffic to a zerotier IP from a LAN IP to get routed correctly. On the surface this seems like it should be very simple, but I'm obviously missing something important.

StubArea51 · Thu Aug 25, 2022 5:23 pm

If you traceroute from the host you're trying to reach to a destination over ZeroTier, where does it stop?

Likewise, if you trace from that destination across ZeroTier and back towards the LAN HOST, where does the traceroute stop?

cblonde · Thu Aug 25, 2022 5:36 pm

If you traceroute from the host you're trying to reach to a destination over ZeroTier, where does it stop?

Likewise, if you trace from that destination across ZeroTier and back towards the LAN HOST, where does the traceroute stop?

From LAN to Zerotier stops at the router:

tracert 172.27.0.4

Tracing route to 172.27.0.4 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms router.lan [192.168.200.1]
2 * * * Request timed out.

From Zerotier to LAN also stops at the router:

tracert 192.168.200.126

Tracing route to 192.168.200.126 over a maximum of 30 hops

1 24 ms 21 ms 23 ms 172.27.0.1
2 * * * Request timed out.

Both of these IPs can be pinged from the router

ping 192.168.200.126
SEQ HOST SIZE TTL TIME STATUS
0 192.168.200.126 56 128 305us
1 192.168.200.126 56 128 296us
2 192.168.200.126 56 128 303us
sent=3 received=3 packet-loss=0% min-rtt=296us avg-rtt=301us max-rtt=305us

ping 172.27.0.4
SEQ HOST SIZE TTL TIME STATUS
0 172.27.0.4 56 128 3ms204us
1 172.27.0.4 56 128 1ms476us
2 172.27.0.4 56 128 6ms767us
sent=3 received=3 packet-loss=0% min-rtt=1ms476us avg-rtt=3ms815us max-rtt=6ms767us

StubArea51 · Thu Aug 25, 2022 5:41 pm

Can you post the output of

/ip/route/print

cblonde · Thu Aug 25, 2022 5:44 pm

Here's the output of

/ip/route/print

Flags: D - DYNAMIC; A - ACTIVE; c, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 pppoe-out1 1
DAc 172.27.0.0/16 zerotier1 0
DAc 192.168.200.0/24 bridge 0
DAc 192.168.201.0/24 bridge 0
DAc 216.8.136.77/32 pppoe-out1 0

StubArea51 · Thu Aug 25, 2022 5:49 pm

The routes look correct and your zerotier controller route appears to be correct.

Have you tried disabling all firewall/mangle/nat rules that aren't required for Internet access to see if they are messing with the end to end connectivity?

cblonde · Thu Aug 25, 2022 6:07 pm

The routes look correct and your zerotier controller route appears to be correct.

Have you tried disabling all firewall/mangle/nat rules that aren't required for Internet access to see if they are messing with the end to end connectivity?

I've been working on paring back some old firewall rules since I posted the config yesterday so there's not much going on. That said, I tried deactivating all rules with a drop action and it didn't seem to make a difference.

NAT isn't doing much, and I'm not currently using Mangle for anything.

Filter Rules:

Flags: X - disabled, I - invalid; D - dynamic 
 0    chain=forward action=accept in-interface=zerotier1 

 1    chain=input action=accept in-interface=zerotier1 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 3    ;;; CAPs to CAPsMAN
      chain=input action=accept protocol=udp src-address=127.0.0.1 
      dst-port=5246,5247 log=no log-prefix="" 

 4    ;;; defconf: accept established,related,untracked
      chain=input action=accept 
      connection-state=established,related,untracked 

 5    ;;; allow IPsec NAT
      chain=input action=accept protocol=udp dst-port=4500 

 6    ;;; allow IKE
      chain=input action=accept protocol=udp dst-port=500 

 7    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 9    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

10    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

11    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

12    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes 
      connection-state=established,related 

13    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked 

14    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

15    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN

NAT

Flags: X - disabled, I - invalid; D - dynamic 
 0 X  ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 

 1    ;;; Added for DVR
      chain=dstnat action=dst-nat to-addresses=192.168.200.220 to-ports=554 protocol=tcp in-interface=pppoe-out1 dst-port=554 log=no log-prefix="" 

 2    ;;; Added for DVR
      chain=dstnat action=dst-nat to-addresses=192.168.200.220 to-ports=80 protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix="" 

 3    ;;; Added for DVR
      chain=dstnat action=dst-nat to-addresses=192.168.200.220 to-ports=8000 protocol=tcp in-interface=pppoe-out1 dst-port=8000 log=no log-prefix="" 

 4    ;;; Forward 2022 to 22 for SSH Backup
      chain=dstnat action=dst-nat to-addresses=192.168.200.140 to-ports=22 protocol=tcp in-interface=pppoe-out1 dst-port=2022 log=no log-prefix="" 

 5  D ;;; upnp 192.168.200.126: Plex Media Server
      chain=dstnat action=dst-nat to-addresses=192.168.200.126 to-ports=32400 protocol=tcp dst-address=98.143.75.192 in-interface=pppoe-out1 dst-port=27012 

 6  D ;;; upnp 192.168.200.137: ZeroTier/f055122fa4@32421
      chain=dstnat action=dst-nat to-addresses=192.168.200.137 to-ports=32421 protocol=udp dst-address=98.143.75.192 in-interface=pppoe-out1 dst-port=32421

Mangle

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough

cblonde · Fri Aug 26, 2022 1:33 am

I think this is the problem:

chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

That said, I'm not sure what to do about it yet.

cblonde · Fri Aug 26, 2022 2:33 am

Adding the following got traffic from LAN to Zerotier working.

chain=srcnat action=masquerade out-interface=zerotier1 log=no log-prefix="" ipsec-policy=out,none

I still can't get traffic from zerotier to LAN IPs, but this is getting closer

EDIT:
Forget the new masquerade rule, I changed the out-interface list on the previous rule to ALL and that seems to have helped

Forward zerotier traffic to LAN [SOLVED]

Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN

Re: Forward zerotier traffic to LAN [SOLVED]

Who is online