Help for network settings

Hi every one
I have a problem in network settings my opewrt is 18
with zerotier installed with Zero and wan and lan interfaces
before joining Zerotier network I can access my openwrt with local
Wan and LAN IP's
After Joining zerotier network my local WAN and LAN IP's Stop pinging
And can not access router with them,
But I cann access my router from zerotier IP address.
I try every thing as I know - I am new here - but failed

MY Network settings are :-

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd71:af14:7e61::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'WAN'
	option proto 'static'
	option ifname 'eth0'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.200'
	option gateway '192.168.1.1'
	option dns '8.8.8.8 192.168.1.1'

config interface 'ZeroT'
	option proto 'none'
	option ifname 'ztrf2vp2bp'
	option auto '1'

AND MY FIREWALL SETTINGS ARE:-

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network ' '

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'WAN'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

Please help

One Note I can ping these local address from outside ( Zerotier link - WAN ) but not from local lan

Why do you have interface eth0 assigned to LAN and WAN networks simultaneously?

As my device is orange pi zero with only one network interface

Could you show the diagnostics:

ip a; ip r; ip ru

This is my diagnostics:

root@OrangePiZero:~# ip a; ip r; ip ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 02:42:4e:88:1c:5a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 192.168.1.5/24 brd 192.168.1.255 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet6 fd71:af14:7e61::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::42:4eff:fe88:1c5a/64 scope link
       valid_lft forever preferred_lft forever
3: ztrf2vp2bp: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 2a:86:4d:df:c0:2d brd ff:ff:ff:ff:ff:ff
    inet 10.147.20.150/24 brd 10.147.20.255 scope global ztrf2vp2bp
       valid_lft forever preferred_lft forever
    inet6 fe80::2886:4dff:fedf:c02d/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0 proto static src 192.168.1.5
10.147.20.0/24 dev ztrf2vp2bp scope link
172.16.103.0/24 via 10.147.20.200 dev ztrf2vp2bp
172.30.4.0/24 via 10.147.20.200 dev ztrf2vp2bp
172.30.5.0/24 via 10.147.20.200 dev ztrf2vp2bp
172.30.6.0/24 via 10.147.20.200 dev ztrf2vp2bp
172.30.7.0/24 via 10.147.20.200 dev ztrf2vp2bp
192.168.100.0/24 via 10.147.20.200 dev ztrf2vp2bp
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OrangePiZero:~#

You are missing link-scope route to network 192.168.1.0/24.
You should disable VPN-service, restart the device and check ip r.

do you mean disable ZEROT adaptor then restart the device and check ip r ??
Or can we add the route to network 192.168.1.0/24 manually ??

Yes.

This route should be added by default.
I suspect that VPN-client removes it.

Same problem still look for a way to make it work.