OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:
firewall { all-ping enable broadcast-ping disable group { network-group LAN { description "Switch LAN" network 192.168.50.0/24 } network-group Upstream { description "Upstream Network" network 10.1.1.0/24 } network-group ZeroTier { description "ZeroTier Network" network 10.147.20.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.1.1.10/24 description "Local Upstream" duplex auto speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.50.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } vlan-aware disable } } zerotier ztklh3kllj { description ZeroTier } } protocols { static { route 0.0.0.0/0 { next-hop 10.1.1.1 { description "Default Gateway" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.50.0/24 { default-router 192.168.50.1 dns-server 192.168.50.1 lease 86400 start 192.168.50.38 { stop 192.168.50.243 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 name-server 10.1.1.1 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description "ZeroTier DNAT" destination { group { network-group ZeroTier } } inbound-interface ztklh3kllj inside-address { address 10.1.1.10 } log disable protocol all type destination } rule 5000 { description "ZeroTier SNAT" log disable outbound-interface ztklh3kllj outside-address { address 10.147.20.1 } protocol all source { group { network-group Upstream } } type source } } ssh { port 22 protocol-version v2 } unms { disable } }