[Support] spikhalskiy - ZeroTier


189 posts in this topic Last Reply

Recommended Posts

15 minutes ago, Hank Moody said:

I have pfsense/baremetal running 12vlans and a 100/60 connection.

 

VLAN 3 (10.1.30.0/24) is the Vlan where my Plex Servers reside (10.1.30.1 & 10.1.30.2). On the same Vlan there are 2 Steam Machines (10.1.30.40 & 10.1.30.41) I'd also like to 'share'.

 

My ZT resides in above Vlan3 (10.1.30.249), and with this Docker I'd just want to share Plex/Steam.

So 10.1.30.249 is the ZT-Client / the ZT-Docker IP on your unraid host?

What network did you choose as transfer network in ZT central?

 

Do you have another client, like a laptop and installed the ZT-client on it and are you able to connect and ping the 10.1.30.249 IP or any other IP on your VLAN3??

Preferably from outside of your own network, via a 3G/4G connection or remote (W)LAN at a friend's or family place?

 

This would be the first step you need to achieve.

 

 

 

 

15 minutes ago, Hank Moody said:

To my understanding it would be possible to use ZT for multiple Vlans, but for simplicity I'd rather start with one Vlan properly set-up 😅

Well, yes...but VLAN tags are not passed accros the ZT network, I think (actually I did not try)...so think of connecting LANs, not especially VLANs.

You should think of a each ZT-network as a Layer 3 Switch

Each ZT-Client, when connected to a ZT-Network is part of a LAN-IP Segment of that network. That means they are already, internally connected to each other.

As each ZT-client has an outside ZT connection, as it also sits in a LAN local to the ZT-client, like your ZT-docker or your Parent's laptop in their local LAN, think of each ZT-Client as a (possible) site-2-site connection gateway, using their internal ZT-network as transfer network.

 

Example (your zt-network IP in the range of 192.168.99.0/255.255.255.0):

 

Your PFsense/VLAN3 (10.1.30.1) - zt-docker (10.1.30.249 + zt-net-ip 192.168.99.2) - zt-central - zt-client-Laptop (zt-net-ip 192.168.99.22 - LAN-IP 192.168.1.120) - remote LAN gateway (192.168.1.1)

 

So, for the laptop to be able to reach your VLAN3, define (in ZT-central) the route to 10.1.30.0/24 with gateway=192.168.99.2 and of course the other path for returns (net 192.168.1.0/24 with gateway 192.168.99.22)

But wait, this is only half of the story ;-)

 

15 minutes ago, Hank Moody said:

Where do the routes have to go? Only ZT-Central? Or do I need to tweak pfsense/vlan-rules too?

...second half of the story:

 

In order for IP packets to be able to reach in return from VLAN3 -net back to remote LAN 192.168.1.0/24, of course the router which is hosting VLAN3 needs to know the routes to zt-central (using the zt-client docker IP as gateway) as well.

That means, your pfsense needs to be part of the game as well ;-)

And should you wish the same for more hosts on the remote network and not just the laptop running zt-client, the remote router as well (which would form a true site2site connection)

 

15 minutes ago, Hank Moody said:

 

As said above I read the entire thread couple of times, especially the posts of @Ford Prefect

about adding routes, but: I intend to only add certain hosts from the Vlan, not the entire network.

 

Zero-Tier is a LAN...in order to limit access to individual hosts in a network/LAN behind a zt-client, you should put the zt-docker in an additional, separate (V)LAN, different from VALN3 and let the firewall rules in your pfense decide which hosts are reachable/allowed from that zt-(V)LAN into your VLAN3.

That is the proper way of doing it, I think and also easier to maintain, should things change.

However, this is routing (performance wise) and might involve more resources on your pfsense box.

 

15 minutes ago, Hank Moody said:

 

I'm at a loss and every help is much appreciated! Especially how the routes should look like as I had a HARD time setting pfsense up.. 🤣

 

...I hope I was able to shed same light to the story. However, I will/can not help with your pfsense...I am a Mikrotik person ;-)

If you already have 12 VLANs running, a 13th shouldn't present a problem, should it?

Link to post
  • Replies 188
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Application Name: ZeroTier Application Site: https://www.zerotier.com/ Docker Hub: https://hub.docker.com/r/spikhalskiy/zerotier/ Github Docker: https://github.com/Spikhalskiy/zerotier-

1.4.6 is released for everybody, the CLI instructions in the topic header are updated for the new docker image layout.

@argonaut @ice pube Hey, I released a separate tag for you with some dirty hacks, but looks like it's working. You can use the tag spikhalskiy/zerotier:1.4.2 and it will give you the latest Zerotier v

Posted Images

  • 2 weeks later...

Hi all,

I have succesfully configured ZeroTier and can access my Unraid server from my mobile phone outside of my wifi. But I need some help to define the route to the rest of the network outside of the Unraid IP.

 

Unraid is part of 192.168.1.x, I can access all services running on the Unraid services but not any other IPs in the subnet.

I have tried to run the user script/commands to setup a route with IPtables but it did not work. I would like to use the GUI to have better control over this but I am not sure what do I need to add in the "Routing table" under "Network settings".

Thanks in advance!

Link to post
  • 2 weeks later...

zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)  

 

UNRAID can access other devices and other devices cannot access UNRAID

Edited by xukai
Link to post

Hi,

Are there plans to upgrade the Zerotier version to 1.6.5 any time soon?

 

I'm having the Zerotier 'Coma' problem where some hosts can't communicate with others in the same network, and the upgrade to 1.6.5 is recommended.  I've tried downgrading one other host to 1.6.2 and it fixed the problem, for a while.

 

Cheers,

Russell

Edit: new version available.

Edited by Russell_C
Version update
Link to post
  • 2 weeks later...
On 4/13/2021 at 10:16 AM, Russell_C said:

Hi,

Are there plans to upgrade the Zerotier version to 1.6.4 any time soon?

 

I'm having the Zerotier 'Coma' problem where some hosts can't communicate with others in the same network, and the upgrade to 1.6.4 is recommended.  I've tried downgrading one other host to 1.6.2 and it fixed the problem, for a while.

 

Cheers,

Russell

Same. It was working but after one day, I cannot connect to my unraid server anymore. An upgrade will be very much helpful.

Link to post
On 4/1/2021 at 7:14 PM, chortya said:

Hi all,

I have succesfully configured ZeroTier and can access my Unraid server from my mobile phone outside of my wifi. But I need some help to define the route to the rest of the network outside of the Unraid IP.

 

Unraid is part of 192.168.1.x, I can access all services running on the Unraid services but not any other IPs in the subnet.

I have tried to run the user script/commands to setup a route with IPtables but it did not work. I would like to use the GUI to have better control over this but I am not sure what do I need to add in the "Routing table" under "Network settings".

Thanks in advance!

This cannot be solved with unraid network settings.

In order for other clients in your IP-Segment, their gateway (aka your router, 192.168.1.1), needs to know the route back to the zt-transfer net and the zt-client on unraid as the gateway to the "other side"..

 

Link to post

Thank you Dmitry!

 

That's fixed my connectivity issue.

 

Hint for those who are having similar issues:  Stop the new Zerotier container and empty the peers.d directory (/mnt/user/appdata/zerotier/zerotier-one/peers.d in the Unraid command window).

Once restarted, Zerotier will repopulate this directory.  The same thing may be necessary at the other end(s) too.

In my instance, success was indicated by my peers no longer appearing as RELAY hosts, but as DIRECT.

 

1ffxxxx11d 1.6.5  LEAF      -1 RELAY

becomes:

ddfxxxxc57 1.6.5  LEAF      -1 DIRECT 6090     16835    192.168.1.xxx/20052

 

Happy sailing,

Russell.

 

Link to post
  • 1 month later...

 Sorry for not getting back any sooner, I really tried it a lot of times but can't get to the desired results; to recap: 

On 3/23/2021 at 2:04 PM, Ford Prefect said:

So 10.1.30.249 is the ZT-Client / the ZT-Docker IP on your unraid host?

What network did you choose as transfer network in ZT central?

The ZT-Node/docker resides on my unraid-box with a bridged-connection

- 10.1.100.201 vlan-100

- ZT-IP 192.168.191.2

 

 

Quote

Do you have another client, like a laptop and installed the ZT-client on it and are you able to connect and ping the 10.1.30.249 IP or any other IP on your VLAN3??

Preferably from outside of your own network, via a 3G/4G connection or remote (W)LAN at a friend's or family place?

 

This would be the first step you need to achieve.

I have 3 ZT-Nodes

- ZT-Docker on unraid

--10.1.100.201 vlan-100

--ZT 192.168.191.2

 

- ZT-App on Windows

--192.168.90.1 vlan-90 / Mobile 4G Hotspot

--ZT 192.168.191.3

 

- ZT-App on Android

--Mobile 4G

--ZT 192.168.191.4

 

All on Version 1.6.5, Online, with Public-IP listed (wasn't the case when the zt-docker was in a vpn'd vlan);

All devices can ping each other trough their ZT-IP with ping not higher than 128ms.

 

Quote

Zero-Tier is a LAN...in order to limit access to individual hosts in a network/LAN behind a zt-client, you should put the zt-docker in an additional, separate (V)LAN, different from VALN3 and let the firewall rules in your pfense decide which hosts are reachable/allowed from that zt-(V)LAN into your VLAN3.

My Plex-Server on unraid

- 10.1.30.1 vlan-30

 

My ZT-Node on unraid

--10.1.100.201 vlan-100

 

pfSense let's pass traffic from vlan-100 to Plex-IP in vlan-30; this is now setup and working without problems. The ZT-docker can ping Plex.

 

Quote

Example (your zt-network IP in the range of 192.168.99.0/255.255.255.0):

 

Your PFsense/VLAN3 (10.1.30.1) - zt-docker (10.1.30.249 + zt-net-ip 192.168.99.2) - zt-central - zt-client-Laptop (zt-net-ip 192.168.99.22 - LAN-IP 192.168.1.120) - remote LAN gateway (192.168.1.1)

 

So, for the laptop to be able to reach your VLAN3, define (in ZT-central) the route to 10.1.30.0/24 with gateway=192.168.99.2 and of course the other path for returns (net 192.168.1.0/24 with gateway 192.168.99.22)

But wait, this is only half of the story ;-)

 

...second half of the story:

 

In order for IP packets to be able to reach in return from VLAN3 -net back to remote LAN 192.168.1.0/24, of course the router which is hosting VLAN3 needs to know the routes to zt-central (using the zt-client docker IP as gateway) as well.

That means, your pfsense needs to be part of the game as well ;-)

And should you wish the same for more hosts on the remote network and not just the laptop running zt-client, the remote router as well (which would form a true site2site connection)

 

That is the proper way of doing it, I think and also easier to maintain, should things change.

 

...I hope I was able to shed same light to the story. However, I will/can not help with your pfsense...I am a Mikrotik person ;-)

And here I'm stuck: In my desired scenario I'd like to have this one and only ZT-Node/docker to route all the other ZT-Nodes to my Plex instance; as much as I understand from your statements (marked bold) do I need to setup a route for every node I let into my private-sdn?

 

In it's core all I want to accomplish is to use the ZT-Node on Unraid (vlan-100) let all other ZT-Nodes access Plex (vlan-30) without much more than confirming those ZT-Nodes in ZT-Central.

Thanks for your help so far @Ford Prefect!

I really don't get it accomplished on my own, and I'm now under time-pressure as my closest relative has to go for 6+ months of cancer-treatment and I'd just like to get him the opportunity of audibles and live-tv while I can't be there on working hours.

- I know you're NOT my personal army

- I'm more than willing to pay someone to give me assistance

- Karma will be your friend in the long run

Thanks a lot for reading so far

Edited by Hank Moody
Link to post
30 minutes ago, Hank Moody said:

 Sorry for not getting back any sooner, I really tried it a lot of times but can't get to the desired results; to recap: 

The ZT-Node/docker resides on my unraid-box with a bridged-connection

- 10.1.100.201 vlan-100

- ZT-IP 192.168.191.2

...so, this has moved since last time.

Nevertheless, this means that from inside your ZT-network, each ZT-client will have to use IP 192.168.191.2 as gateway for any host or network you would like to access via the ZT-docker.

 

30 minutes ago, Hank Moody said:

- ZT-App on Windows

--192.168.90.1 vlan-90 / Mobile 4G Hotspot

--ZT 192.168.191.3

just to clarify...vlan-90 also resides somewhere in your network and this client will connect, when on a premise local to that network i.e. via WLAN to vlan-90 or will it use a VPN as well when abroad?

When abroad, what networks will it connect to simultaneously - vlan-90 via VPN *PLUS* ZT via zt-client or only one at a time?

When connected to vlan-90 only, do you wish it to be able to connect to plex as well?

 

30 minutes ago, Hank Moody said:

- ZT-App on Android

--Mobile 4G

--ZT 192.168.191.4

OK, this is the one parent, with a remote devioce that should be able to access plex, right?

 

30 minutes ago, Hank Moody said:

All on Version 1.6.5, Online, with Public-IP listed (wasn't the case when the zt-docker was in a vpn'd vlan);

All devices can ping each other trough their ZT-IP with ping not higher than 128ms.

...good.

30 minutes ago, Hank Moody said:

 

My Plex-Server on unraid

- 10.1.30.1 vlan-30

 

My ZT-Node on unraid

--10.1.100.201 vlan-100

 

pfSense let's pass traffic from vlan-100 to Plex-IP in vlan-30; this is now setup and working without problems. 

OK, see me remark regarding clients in vlan-90 above.

Also: ZT is not doing NAT, so ZT clients will connect to any service with IPs from the 192.-168.191.0/24 range.

So you want pfsense to allow traffic originating from 192.168.191.0/24 and destination 10.1.30.1 (plex)

 

30 minutes ago, Hank Moody said:

In it's core all I want to accomplish is to use the ZT-Node on Unraid (vlan-100) let all other ZT-Nodes access Plex (vlan-30) without much more than confirming those ZT-Nodes in ZT-Central.

...then, in ZT central add a single route to the plex host 10.1.30.1/32 with gateway 192.168.191.2 (which is your zt-docker).

Note: since plex-docker and zt-docker do reside on the same unraid box, unraid (might) have a direct/local route available.

See my next response, below.

 

30 minutes ago, Hank Moody said:

And here I'm stuck: In my desired scenario I'd like to have this one and only ZT-Node/docker to route all the other ZT-Nodes to my Plex instance; as much as I understand from your statements (marked bold) do I need to setup a route for every node I let into my private-sdn?

 

please Check the routes on unraid host (what is the output of "route -n" via command line)?

 

We need to find out which path packets from zt-clients go when trying to reach plex and also which way return packets from plex go, trying to get back to a zt-client. Here the correct gateway is 10.1.100.201 (the "iunraid"-side/IP of your zt-docker). 

All will depend on the routing table if unraid can identify the route/path locally or will use the default gateway (your pfsense).

Link to post
2 hours ago, Ford Prefect said:

...so, this has moved since last time.

Nevertheless, this means that from inside your ZT-network, each ZT-client will have to use IP 192.168.191.2 as gateway for any host or network you would like to access via the ZT-docker.

Do I have to toggle anything in the ZT-Clients or is this done via ZT-Central?
TM9am0d.png

 

Quote

just to clarify...vlan-90 also resides somewhere in your network and this client will connect, when on a premise local to that network i.e. via WLAN to vlan-90 or will it use a VPN as well when abroad?

This is a local vlan, every client when away would connect via ZT.

 

Quote

When abroad, what networks will it connect to simultaneously - vlan-90 via VPN *PLUS* ZT via zt-client or only one at a time?

^Only one at a time

 

Quote

When connected to vlan-90 only, do you wish it to be able to connect to plex as well?

When I'm connected to vlan90 locally I have the fw-rules allowing me access to plex on vlan30

 

Quote

OK, this is the one parent, with a remote devioce that should be able to access plex, right?

Exactly

 

Quote

Also: ZT is not doing NAT, so ZT clients will connect to any service with IPs from the 192.-168.191.0/24 range.

So you want pfsense to allow traffic originating from 192.168.191.0/24 and destination 10.1.30.1 (plex)

I tried my best, is this rule ok?
Alias zt_net_plex = 192.168.191.0/24
Alias media = 10.1.30.1

I'm unable to ping plex over zerotier..:/

HcZTREq.png

 

Quote

...then, in ZT central add a single route to the plex host 10.1.30.1/32 with gateway 192.168.191.2 (which is your zt-docker).

Note: since plex-docker and zt-docker do reside on the same unraid box, unraid (might) have a direct/local route available.

See my next response, below.

qlOJeQA.png

Quote

please Check the routes on unraid host (what is the output of "route -n" via command line)?

 

We need to find out which path packets from zt-clients go when trying to reach plex and also which way return packets from plex go, trying to get back to a zt-client. Here the correct gateway is 10.1.100.201 (the "iunraid"-side/IP of your zt-docker). 

All will depend on the routing table if unraid can identify the route/path locally or will use the default gateway (your pfsense).

ExXgjpR.png

FYI I'm using 3 eth-ports, whereas only port-1 is used/bridged for docker;
- I have absolutely no clue where 172.17.0.0 and 192.168.122.0 come from (sweating a little bit..)


Man, THANK YOU!! :) I owe you a lot

Edited by Hank Moody
Link to post
1 hour ago, Hank Moody said:

Do I have to toggle anything in the ZT-Clients or is this done via ZT-Central?
TM9am0d.png

NO, this should be OK on client side. 

 

1 hour ago, Hank Moody said:

I tried my best, is this rule ok?
Alias zt_net_plex = 192.168.191.0/24
Alias media = 10.1.30.1

...this is with pfsense? I have no clue how routes are defined or even worse, firewall rules....BSD-style is something that never got sticky in my head, sorry.

 

This is the required logic...if an alais will help, just do/use it.

You need, in your pfsense firewall, to (if not allowed by default):

 

- allow forwarding of packets originating from zt_net_plex (state=new, incoming over vlan-100) to plex/media, IP 10.1.30.1.

- allow forwarding packets originating (state=established, =related, not=new, not=invalid) from plex/media to zt_net_plex 

 

Also, in your pfsense routing table:

- create a static route to zt-net_plex 192.168.191.0/24 with gateway 10.1.100.201 (unraid-zt-docker).

 

1 hour ago, Hank Moody said:

I'm unable to ping plex over zerotier..:/

because each connection needs a path towards its destination and for returns as well.

See my remarks above....at least that static route via zt-docker seems to be missing in pfsense.

 

1 hour ago, Hank Moody said:

 

qlOJeQA.png

...that looks OK now. Every zt-client trying to reach plex will direct the connection via zt-docker interface ... just make sure, that this IP 192.168.191.2 is allocated as static in zt-centtal ;-)

 

1 hour ago, Hank Moody said:

ExXgjpR.png

here you can see, that on the unraid host, there is no known route to zt-network (192.168.191.0/255.255.255.0).

Hence you need to route traffic via your pfsense...create the static route as described above....plex and zt-clients will, based on that routing table on your unraid host, direct outgoing traffic to your pfsense (the default gateways 10.1.30.254 / 10.1.100.254).

 

1 hour ago, Hank Moody said:

- I have absolutely no clue where 172.17.0.0 and 192.168.122.0 come from (sweating a little bit..)

these are default interfaces/IP-nets for Docker and Virtual-Machines, for when no custom network is used ... don't worry. 

 

....looks like you "only" need to get your pfsense setup updated. Unfortunately, I am not familiar with these, sorry.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.