Apparently the 2.0 line of EdgeOS now supports ZeroTier
-
These are my interfaces:
And these are my routes:
On the 192.168.50.0/24 (Lan1) network, I can successfully hit 10.1.1.0/24 (Lan2) addresses and go out on the internet. However, I can't get to any 10.147.20.0/24 nodes (ZT).
If I ssh into the router, I can ping anything on Lan1, Lan2, and ZT. This seems like it would be an easy solution that I'm missing???
Thanks.
-
@jplee Very Interesting! Can you share how you got ZT setup on the edge router?
-
@VoIP_n00b I followed https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/. It was pretty straightforward. Make sure you follow Part 2 of the guide as well. Now if I can just get the ER-X to route.
-
@jplee I would like that too
-
I have it working! I needed to NAT.
I also disabled routing to 192.168.50.0/24 on ZeroTier Central and unchecked "Allow Bridging". They aren't needed.
-
@jplee Interesting. I'll have to try it. As many details as you can provide would be great!
-
Why would you need to NAT? If you want the real IPs to work, you should be able to use them.
I don't NAT any of my other VPNs.
-
@Dashrender I couldn't get the ER-X to route LAN>ZT. NAT, although not ideal, did the trick for me. I'd love to hear if anyone has a no NAT solution.
-
@jplee said in Apparently the 2.0 line of EdgeOS now supports ZeroTier:
@Dashrender I couldn't get the ER-X to route LAN>ZT. NAT, although not ideal, did the trick for me. I'd love to hear if anyone has a no NAT solution.
Remind me what you setup is, I have a ER-X lying around I can set it up and give it a try this weekend.
-
@Dashrender Setup is outlined several posts above. Here
-
You don't need to set a NAT configuration if you set a route in the Zerotier web interface.
10.11.12.1/24 - (LAN)
192.168.1.1/24 via 10.11.12.1The 10.11.12.1/24 is the Zerotier Network
The 192.168.1.1/24 is the Switch0 network for the ER-X -
@dinge Do you have this working? It didn’t work for me. Remember, I’m trying to go from LAN to ZT, not the other way around.
-
@jplee From ZT to Lan I got this working without NAT or without a route configuration.
I could ping the ZT devices from my Switch0 LAN.
What I wanted was to be able to acces the complete Switch0 LAN from anywhere in the world when I am connected with a PC or phone in the same ZT Network.
-
@jplee This are the commands I used on a ER-X setup as WAN+2LAN2
sudo -i
curl -s https://install.zerotier.com | sudo bash
cd /var/lib
mv /var/lib/zerotier-one /config/scripts/
ln -s /config/scripts/zerotier-one
cp /opt/vyatta/share/perl5/Vyatta/Interface.pm /opt/vyatta/share/perl5/Vyatta/Interface.pm.backup
scp /Users/JohDoe/Downloads/zerotier-edgeos.tgz [email protected]:/home/ubnt
(from new terminal window)tar -C / -xvzf /home/ubnt/zerotier-edgeos.tgz
connect zerotier (zerotieradress)
show interfaces zerotier
configure
set interfaces zerotier zt3jnycvh4 description ZerotierNetwork
commit ; save
exit
-
@dinge I did that exactly. Can we compare configs? Here's mine:
interfaces { ethernet eth0 { address 10.1.1.10/24 description "Local Upstream" duplex auto speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.50.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } vlan-aware disable } } zerotier ztklh3kllj { description ZeroTier } } protocols { static { route 0.0.0.0/0 { next-hop 10.1.1.1 { description "Default Gateway" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.50.0/24 { default-router 192.168.50.1 dns-server 192.168.50.1 lease 86400 start 192.168.50.38 { stop 192.168.50.243 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 name-server 10.1.1.1 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5000 { description ZT-NAT destination { group { address-group ADDRv4_eth0 } } log disable outbound-interface ztklh3kllj protocol all source { group { } } type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } -
OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:
firewall { all-ping enable broadcast-ping disable group { network-group LAN { description "Switch LAN" network 192.168.50.0/24 } network-group Upstream { description "Upstream Network" network 10.1.1.0/24 } network-group ZeroTier { description "ZeroTier Network" network 10.147.20.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.1.1.10/24 description "Local Upstream" duplex auto speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.50.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } vlan-aware disable } } zerotier ztklh3kllj { description ZeroTier } } protocols { static { route 0.0.0.0/0 { next-hop 10.1.1.1 { description "Default Gateway" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.50.0/24 { default-router 192.168.50.1 dns-server 192.168.50.1 lease 86400 start 192.168.50.38 { stop 192.168.50.243 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 name-server 10.1.1.1 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description "ZeroTier DNAT" destination { group { network-group ZeroTier } } inbound-interface ztklh3kllj inside-address { address 10.1.1.10 } log disable protocol all type destination } rule 5000 { description "ZeroTier SNAT" log disable outbound-interface ztklh3kllj outside-address { address 10.147.20.1 } protocol all source { group { network-group Upstream } } type source } } ssh { port 22 protocol-version v2 } unms { disable } }
