Forward zerotier traffic to LAN
Posted: Thu Aug 25, 2022 12:45 am
I've followed the Mikrotik directions to set up zerotier on my RB4011 and generally speaking it's working. Where I'm having trouble (I think?) is getting it to forward traffic to LAN IPs.
I can ping zerotier IPs from the RB4011. I can connect to the RB4011 remotely using zerotier. I can't ping anything on my home network behind the RB4011 from a zerotier IP.
I do have a route configured to let me ping the LAN IP of the router over zerotier - that works fine. It just doesn't seem to be forwarding traffic to other LAN IPs. I can see the traffic in torch, but it seems like it never arrives at the destination.
Config is as follows:
{Use proper formatting tag}
I can ping zerotier IPs from the RB4011. I can connect to the RB4011 remotely using zerotier. I can't ping anything on my home network behind the RB4011 from a zerotier IP.
I do have a route configured to let me ping the LAN IP of the router over zerotier - that works fine. It just doesn't seem to be forwarding traffic to other LAN IPs. I can see the traffic in torch, but it seems like it never arrives at the destination.
Config is as follows:
{Use proper formatting tag}
Code: Select all
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add admin-mac=B8:69:F4:C5:B1:65 auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 5785/20-eeCe/ac(27dBm)+5210/80(14dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-n/ac channel-width=20/40/80/160mhz-XXXXXXXX country=canada distance=indoors frequency=auto installation=indoor mode=ap-bridge radio-name=B869F4C5B16E ssid=MikroTik-C5B16E station-roaming=enabled \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2447/20-eC/gn(15dBm), SSID: XXXXXXXX, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=15 band=2ghz-onlyn channel-width=20/40mhz-XX country=canada distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-B54F72 station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# SSID: XXXXXXX2, CAPsMAN forwarding
add mac-address=BA:69:F4:B5:4F:72 master-interface=wlan2 mode=station name=wlan19 station-roaming=enabled
add mac-address=BA:69:F4:C5:B1:6E master-interface=wlan1 mode=station name=wlan20 station-roaming=enabled
/caps-man interface
add disabled=no l2mtu=1600 mac-address=B8:69:F4:C5:B1:6F master-interface=none name=cap1 radio-mac=B8:69:F4:C5:B1:6F radio-name=B869F4C5B16F
/caps-man configuration
add country=canada datapath.bridge=bridge mode=ap name="Basement DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge name="Basement DCC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any name="Garage DCC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any mode=ap name="Garage DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any name="Kitchen DCC" security.authentication-types=wpa-psk,wpa2-psk ssid="XXXXXXXX"
add country=canada datapath.bridge=bridge installation=any mode=ap name="Kitchen DMPC" security.authentication-types=wpa2-psk ssid="XXXXXXXX"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.200.100-192.168.200.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" identity="XXXXXXXX" name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=XXXXXXXX
/caps-man manager
set ca-certificate=CAPsMAN-CA-0A519F335A0E certificate=CAPsMAN-0A519F335A0E enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration="Basement DMPC" slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Basement 5GHz" master-configuration="Basement DMPC" name-format=identity radio-mac=B8:69:F4:C5:B1:6E slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Basement 2GHz" master-configuration="Basement DMPC" name-format=identity radio-mac=B8:69:F4:B5:4F:72 slave-configurations="Basement DCC"
add action=create-dynamic-enabled comment="Garage 2Ghz" master-configuration="Garage DMPC" name-format=identity radio-mac=B8:69:F4:CF:F8:48 slave-configurations="Garage DCC"
add action=create-dynamic-enabled comment="Kitchen 5Ghz" master-configuration="Kitchen DMPC" name-format=identity radio-mac=B8:69:F4:D0:1B:E7 slave-configurations="Kitchen DCC"
add action=create-dynamic-enabled comment="Kitchen 2Ghz" master-configuration="Kitchen DMPC" name-format=identity radio-mac=B8:69:F4:D0:1B:E6 slave-configurations="Kitchen DCC"
add action=create-dynamic-enabled comment="Garage 5Ghz" master-configuration="Garage DMPC" name-format=identity radio-mac=B8:69:F4:CF:F8:49 slave-configurations="Garage DCC"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=*1 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=KitchenAP-1-1 list=LAN
add interface=zerotier1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 certificate=CAP-0A519F335A0E enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.200.1/24 comment=defconf interface=ether2 network=192.168.200.0
add address=192.168.201.1/24 interface=ether2 network=192.168.201.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
XXXXXXXX
/ip dhcp-server network
add address=192.168.200.0/24 comment=defconf dns-server=192.168.200.1 domain=XXXXXXXX gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
XXXXXXXX
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input disabled=yes in-interface=KitchenAP-1-1
add action=accept chain=forward disabled=yes in-interface=KitchenAP-1-1
add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=554 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=554
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=80
add action=dst-nat chain=dstnat comment="Added for DVR" dst-port=8000 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.220 to-ports=8000
add action=dst-nat chain=dstnat comment="Forward 2022 to 22 for SSH Backup" dst-port=2022 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.200.140 to-ports=22
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system identity
set name=HouseAP
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
add address=ca.pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add name=Reboot on-event="system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/20/2021 start-time=23:00:00
/system script
add dont-require-permissions=no name=XXXXXXX owner=XXXXXXX policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool wol interface=bridge mac=FC:AA:14:77:93:F5"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN