Hello!
I've been playing with Zerotier in OpenWRT as a method to expose LAN in support scenarios.
My goal is to have Zerotier provide a tunnel to both the OpenWRT router and all the devices on the same LAN as said router.
Currently I am running OpenWRT on a Vocore 2 POE and almost all is working except I have the following issues:
I cannot access the router when connecting remotely (don't see issues with the firewall but the connection is refused) both on its Zerotier address or its DHCP address. I can see all network devices though (except it?).
When connected locally on the DHCP address the plugin TTYD does not work (refused connection), LUCI and SSH are working though.
Other notes: I also have a wireless LAN setup for local access to the device - this works but doesn't provide access to the network.
Here is my /etc/config/network:
config interface 'WAN'
option proto 'dhcp'
option device 'br-wan'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth0.1'
list ports 'ztfovzuj6z'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd6:603a:85c5::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 0 2'
config interface 'Zerotier'
option proto 'none'
option device 'ztfovzuj6z'
config switch_vlan
option device 'switch0'
option ports '6t'
option vlan '2'
option description 'WAN'
Here is my /etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'ETH0'
list network 'Zerotier'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'wan'
option dest 'lan'
Here is the /etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option htmode 'HT20'
option channel 'auto'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWRT'
option encryption 'psk2'
option key 'OpenWRT'
What crap can be removed from the configurations? What is missing to properly bridge the zerotier interface with the ethernet port network?
Also the version is: "Powered by LuCI openwrt-21.02 branch (git-22.119.37126-a993714) / OpenWrt 21.02.3 r16554-1d4dea6d4f"
Thanks,
--Phil