Assigning ZeroTier VPN to a VLAN

Hello, I've installed the Zerotier VPN on my WAX202 with OpenWRT 23.05.0. The upstream router is a Mikrotik via a trunked VLAN port with VLAN IDs 10, 20, 30, 31, 40, and 50.

Currently, I'm able to ping a remote device in the VPN:

ping 192.168.195.2
PING 192.168.195.2 (192.168.195.2): 56 data bytes
64 bytes from 192.168.195.2: seq=0 ttl=128 time=296.688 ms
64 bytes from 192.168.195.2: seq=1 ttl=128 time=47.132 ms
64 bytes from 192.168.195.2: seq=2 ttl=128 time=62.496 ms

I'd like to assign outbound VPN traffic to VLAN ID 31. What's the best way to do this? Should I bridge the VPN interface to the vlan-br and tag it with ID 31? What would be the firewall settings?

Thanks for your help.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan2'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan3'
	option macaddr '34:xx:xx:xx:xx:36'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.10.2/24'
	option gateway '10.0.10.1'
	list dns '1.0.0.1'

config device
	option name 'wan'
	option macaddr '34:xx:xx:xx:xx:37'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '31'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan2'
	list ports 'wan:t'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-ip-cam-lan3'
	list ports 'lan3'
	option ipv6 '0'

config interface 'ip_cam_lan3'
	option proto 'static'
	option device 'br-ip-cam-lan3'
	option ipaddr '10.0.50.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'

config device
	option name 'ztxxxxxxxx'
	option ipv6 '0'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

The direct answer to your question is that you will need to first login to your Zerotier account, edit the network and check the box to allow Ethernet bridging. Then you can add the zerotier device name as a port in the vlan 31 bridge-vlan.

However, this is not recommended since layer 2 VPNs tend to clog up with Ethernet broadcast traffic. It is better to operate the VPN in Zerotier's default mode of layer 3 and route into it. In that case your VLAN 31 will have its own IP range and work like the other VLANd networks, but with firewall rules allowing it to forward through the Zerotier network.

I'm okay with this. Could you give more details on how this would be done? Thank you for your time.

The WAX202 running OpenWRT is connected to a Mikrotik upstream router. The Mikrotik has a DHCP server that assigns VLAN 31 devices to 10.0.31.x.

Is there a setting where I can assign or tag the Zerotier VPN service in WAX202 with VLAN ID 31?

Since this is layer 2, you would add the zerotier interface as a port in the 31 bridge-vlan. This will allow tagged packets on the Ethernet cable to be forwarded to the Zerotier tunnel based on MAC addresses. I believe this is what you want.

It should also be noted that Mikrotik RouterOS has Zerotier as an installable package, for some machines. It is not supported on their lower performance routers with MIPS processors.

Yeah, ZeroTier only works natively on MikroTik ARM devices.

@rubyracer: Once you’re connected to the ZeroTier network, the ZeroTier interface acts just like a regular Ethernet interface, assuming you've set up ZeroTier for bridging.

I'm guessing you've already looked at these links about how ZeroTier works?

• https://docs.zerotier.com/integrating-physical-networks
• https://docs.zerotier.com/route-between-phys-and-virt/
• https://docs.zerotier.com/bridging/