Zerotier unreachable

Hi,

after switching from cable to an LTE-stick my zerotier installation stopped working.

I have a zerotier network device that gets an ip, "zerotier-cli info" reports "ONLINE", yet I cannot ping or ssh any other device on my zerotier network - there must be something wrong with my network/firewall configuration but I don't know how to debug this...

Can someone help me here?

1 Like

Sorry, I should have mentioned that I know this page but it did not work for me.

I don't need pointers to documentation but hints for debugging network issues....

Then show it along with your OpenWrt routing table.
No pictures please.

1 Like

Zerotier is rather robust at getting connected since it can work entirely with outgoing connections. It does like IPv6 though so make sure if IPv6 is configured, it is working properly. Also there is a small possibility that the ISP is blocking it (or UDP in general) with a firewall on their side.

1 Like

Here is the routing table:

> sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.127.37  0.0.0.0         UG    30     0        0 usb0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
172.23.0.0      0.0.0.0         255.255.0.0     U     0      0        0 ztuku62g3u
192.168.127.0   0.0.0.0         255.255.255.0   U     30     0        0 usb0

Here /etc/config/firewall:


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun+'
        option network 'wan wan6 tethering'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule                                
        option name 'Allow-IGMP'           
        option src 'wan'                   
        option proto 'igmp'                
        option family 'ipv4'               
        option target 'ACCEPT'             
                                           
config rule                                
        option name 'Allow-DHCPv6'         
        option src 'wan'                   
        option proto 'udp'                 
        option src_ip 'fc00::/6'           
        option dest_ip 'fc00::/6'          
        option dest_port '546'             
        option family 'ipv6'               
        option target 'ACCEPT'             
                                           
config rule                                
        option name 'Allow-MLD'            
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'         
        list icmp_type '131/0'         
        list icmp_type '132/0'         
        list icmp_type '143/0'         
        option family 'ipv6'           
        option target 'ACCEPT'      

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '1'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config redirect
        option target 'DNAT'
        option name 'moto'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '2222'
        option dest_ip '10.10.10.110'
        option dest_port '2222'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'herun'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '2223'
        option dest_ip '10.10.10.101'
        option dest_port '2222'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'erlenstar'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '2224'
        option dest_ip '10.10.10.111'
        option dest_port '2222'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'vnc'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5900'
        option dest_ip '10.10.10.100'
        option dest_port '5900'
        option enabled '1'
        option gl '1'
        option src 'wan'

config rule
        option name 'Allow-ZeroTier-Inbound'
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '9993'

config zone 'vpn'
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'zt+'

config rule 'ssh'
        option name 'Allow-SSH'
        option src 'vpn'
        option dest_port '22'
        option proto 'tcp'
        option target 'ACCEPT'

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

1 Like

Yes it is a Gl-Inet device and runs with their version of openwrt.
However I believe it is a generic networking/firewall problem where that should not matter.

The 172.32 route was pushed in from Zerotier, correct? That indicates that you do have a connection to Zerotier Central.

Other than that I can't say much as it is as noted not official firmware, and there are a lot of other things configured that may be interfering with what you are trying to do.

And as I said before check if there is a public ipv6 wan route and if there is it either needs to work properly or be disabled to test with v4 only. Zerotier does let clients mix and match v4 and v6 protocols for the outside of the tunnel.

1 Like

Yes the route was pushed.

It all worked before but I have changed two things:

The internet access is now via LTE - the device is now either tethered via a surfstick ("eth2") or my phone ("usb0").
And where I used to use eth0 to connect to a cable-router, both eth0 and eth1 are now used for lan.

But now I have this connectivity problems that I don't know how to debug.

What exactly does not work? Curious to see some examples.
+1 to what was said about [not] official firmware.

Moving to the official firmware is what I am planning to do soon.

Here is an example of what not works: I cannot reach the other hosts of my network:

ssh -p 2222 172.23.8.6

ssh: Connection to mh@172.23.8.6:2222 exited: Connect failed: Host is unreachable

And this device is not reachable from the other hosts as well.

We have no visibility about what's going on @172.23.8.6
Add a rule to accept ICMP from vpn zone and let the other host ping you.

So I added this:

config rule                    
        option name 'Allow-Ping'
        option src 'vpn'  
        option proto 'icmp'
        option icmp_type 'echo-request'    
        option family 'ipv4'
        option target 'ACCEPT'

and restarted the firewall.
But the ping does not work.

In this particular case the host at 172.23.8.6 is my phone.

Well, I would install tcpdump and see if anything is coming from the outside:
tcpdump -v -i ztuku62g3u

Note that you don't need 'Allow-ZeroTier-Inbound' rule.

There is nothing coming in.

The problem seems to be that the zerotier interface does not seem to be connected to the other interfaces.

When I try to ping the other host from the device all I see are unanswered arp-requests.

Do you have any custom rules configured at ZT Central?

no custom rules.

I have experimented with defining a zone for the zerotier interface and adding forwarding rules but I don't really know what I am doing...

It would be either a config forwarding from lan to vpn-- which is conspicuously missing (*), or place the Zerotier interface in the wan zone. Either way since masquerade is active on vpn and/or wan, the connection from lan to vpn devices would be outgoing only. (Incoming connections would require either symmetric routing instead of NAT, or port forwards back through NAT).

(*) You keep saying though that everything worked before the ISP change though, and connecting to a vpn device from lan definitely will not work without a forward rule.

1 Like