Zerotier over EE (UK) cellular 5G network

radiomean · April 12, 2026, 9:30pm

Hi, I’ve installed Zerotier on several routers and it assigns both IPv4 and IPv6 addresses…

If I use local WiFi networks I can connect but I can’t access the router when I try to use the connected cellular link. I’m using EE(UK) which uses IPv6 (even though Zerotier assigns both v4 and v6 addresses). I’ve had a look at reducing the MTU to 1280 (from 2800) but can’t seem to sucessfully do that.

Can someone offer any advice on the getting the connection working - or, at worse, confirm that (because of the cellular network use of CG-NAT) - I can’t use it…

Thanks!

slh · April 12, 2026, 10:58pm

Cellular ISPs usually employ quite drastic filtering, for many reasons - also for sensible reasons (reducing the chances for DOS attackers to use up your monthly quota and to block known attacks), beyond only the pesky ones. IPv4 is almost always behind cgNAT, IPv6 often doesn't fare that much better (only a single /64, also draconian filtering).

It's quite possible that they'll also prevent things like tailscale. At least for testing, I would at least try if plain wireguard on a random port using the IPv6 gateway address does anything sensible or if that's completely blocked.

Sid · April 13, 2026, 2:32am

If MTU 1280 doesn’t work on your cellular connection then it sound like fragmentation issues, your cellular provider is probably using some weird mtu size. Is it 464xlat?

You might need to clamp mss manually to a more suitable size for your cellular network.

Boilerplate4U · April 13, 2026, 8:59am

@radiomean

SD-WAN solutions like ZeroTier, Tailscale etc handle NAT/CG-NAT traversal just fine with IPv4 using either hole-punching or relaying, or with IPv6 to IPv6 on both ends it usually just works.

I've deployed ZeroTier both personally and with clients, and in my experience routing and firewall rules are by far the most common culprits when things don't work as expected. Same probably applies here.

A few things worth checking:

1. Verify that the ZeroTier peer actually connects

On the router, run:

# zerotier-cli peers

Look for your phone's ZeroTier node ID. Confirm the ROLE is LEAF and that the node appears at all. If it's missing or shows no paths, the tunnel isn't established and there's nothing to troubleshoot on the routing/firewall side yet.

Also check:

# zerotier-cli listnetworks

Confirm the network shows OK and an assigned IP.

2. Check if you can reach the ZeroTier IP of the router

From your phone (over cellular), open a ping-app and try pinging the router's ZeroTier-assigned IP. That's the address ZeroTier allocated within your ZeroTier network (e.g 10.147.x.x), not the router's LAN IP or WAN IP.

If that works, ZeroTier itself is up and the problem is purely routing/firewall on the router side. If it doesn't, the tunnel itself isn't established.

3. Routing between the ZeroTier-network and the local router lan

Even if you can reach the router's ZeroTier IP, that only means the tunnel is up. To reach hosts on the router's local LAN (e.g. 192.168.1.x) you need a managed route configured in ZeroTier Central telling clients that your LAN subnet is reachable via the router node.

In ZeroTier Central (either legacy or the new console):

Open your network and scroll down to Managed Routes
Add a route with the destination set to your LAN subnet, e.g. 192.168.1.0/24, and the Via field set to the router's ZeroTier IP (e.g. 10.147.x.x)
Save it
ZeroTier automatically propagates the new route to all nodes on the network

On the router, verify that the route has been propagated and is present:

# ip route show
# ip -6 route show

This confirm there's a route for the ZeroTier subnet pointing to the ztXXXXXX interface.

4. Check the firewall: another common culprit

OpenWrt by default assigns ZeroTier's interface (ztXXXXXX) to no firewall zone, or sometimes drops it into lan. You need to make sure:

The ZeroTier interface is in a zone that allows inbound traffic (at minimum INPUT ACCEPT for the zone)
There's a forwarding rule from the ZeroTier zone to lan if you want to reach LAN hosts
INPUT chain accepts traffic on the ZeroTier interface

Check it:

# iptables -L INPUT -n -v | grep zt
# ip6tables -L INPUT -n -v | grep zt

Or using LuCI with Network > Firewall and check which zone ztXXXXXX sits in and what its INPUT policy is.
–

What does zerotier-cli peers show when you're on cellular?

radiomean · April 13, 2026, 10:34am

Many thanks for all this detailed info…

I’ll check it out shortly.