[Support] spikhalskiy - ZeroTier


Recommended Posts

15 minutes ago, Hank Moody said:

I have pfsense/baremetal running 12vlans and a 100/60 connection.

 

VLAN 3 (10.1.30.0/24) is the Vlan where my Plex Servers reside (10.1.30.1 & 10.1.30.2). On the same Vlan there are 2 Steam Machines (10.1.30.40 & 10.1.30.41) I'd also like to 'share'.

 

My ZT resides in above Vlan3 (10.1.30.249), and with this Docker I'd just want to share Plex/Steam.

So 10.1.30.249 is the ZT-Client / the ZT-Docker IP on your unraid host?

What network did you choose as transfer network in ZT central?

 

Do you have another client, like a laptop and installed the ZT-client on it and are you able to connect and ping the 10.1.30.249 IP or any other IP on your VLAN3??

Preferably from outside of your own network, via a 3G/4G connection or remote (W)LAN at a friend's or family place?

 

This would be the first step you need to achieve.

 

 

 

 

15 minutes ago, Hank Moody said:

To my understanding it would be possible to use ZT for multiple Vlans, but for simplicity I'd rather start with one Vlan properly set-up 😅

Well, yes...but VLAN tags are not passed accros the ZT network, I think (actually I did not try)...so think of connecting LANs, not especially VLANs.

You should think of a each ZT-network as a Layer 3 Switch

Each ZT-Client, when connected to a ZT-Network is part of a LAN-IP Segment of that network. That means they are already, internally connected to each other.

As each ZT-client has an outside ZT connection, as it also sits in a LAN local to the ZT-client, like your ZT-docker or your Parent's laptop in their local LAN, think of each ZT-Client as a (possible) site-2-site connection gateway, using their internal ZT-network as transfer network.

 

Example (your zt-network IP in the range of 192.168.99.0/255.255.255.0):

 

Your PFsense/VLAN3 (10.1.30.1) - zt-docker (10.1.30.249 + zt-net-ip 192.168.99.2) - zt-central - zt-client-Laptop (zt-net-ip 192.168.99.22 - LAN-IP 192.168.1.120) - remote LAN gateway (192.168.1.1)

 

So, for the laptop to be able to reach your VLAN3, define (in ZT-central) the route to 10.1.30.0/24 with gateway=192.168.99.2 and of course the other path for returns (net 192.168.1.0/24 with gateway 192.168.99.22)

But wait, this is only half of the story ;-)

 

15 minutes ago, Hank Moody said:

Where do the routes have to go? Only ZT-Central? Or do I need to tweak pfsense/vlan-rules too?

...second half of the story:

 

In order for IP packets to be able to reach in return from VLAN3 -net back to remote LAN 192.168.1.0/24, of course the router which is hosting VLAN3 needs to know the routes to zt-central (using the zt-client docker IP as gateway) as well.

That means, your pfsense needs to be part of the game as well ;-)

And should you wish the same for more hosts on the remote network and not just the laptop running zt-client, the remote router as well (which would form a true site2site connection)

 

15 minutes ago, Hank Moody said:

 

As said above I read the entire thread couple of times, especially the posts of @Ford Prefect

about adding routes, but: I intend to only add certain hosts from the Vlan, not the entire network.

 

Zero-Tier is a LAN...in order to limit access to individual hosts in a network/LAN behind a zt-client, you should put the zt-docker in an additional, separate (V)LAN, different from VALN3 and let the firewall rules in your pfense decide which hosts are reachable/allowed from that zt-(V)LAN into your VLAN3.

That is the proper way of doing it, I think and also easier to maintain, should things change.

However, this is routing (performance wise) and might involve more resources on your pfsense box.

 

15 minutes ago, Hank Moody said:

 

I'm at a loss and every help is much appreciated! Especially how the routes should look like as I had a HARD time setting pfsense up.. 🤣

 

...I hope I was able to shed same light to the story. However, I will/can not help with your pfsense...I am a Mikrotik person ;-)

If you already have 12 VLANs running, a 13th shouldn't present a problem, should it?

  • Thanks 1
Link to comment
  • 2 weeks later...

Hi all,

I have succesfully configured ZeroTier and can access my Unraid server from my mobile phone outside of my wifi. But I need some help to define the route to the rest of the network outside of the Unraid IP.

 

Unraid is part of 192.168.1.x, I can access all services running on the Unraid services but not any other IPs in the subnet.

I have tried to run the user script/commands to setup a route with IPtables but it did not work. I would like to use the GUI to have better control over this but I am not sure what do I need to add in the "Routing table" under "Network settings".

Thanks in advance!

Link to comment
  • 2 weeks later...

zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)  

 

UNRAID can access other devices and other devices cannot access UNRAID

Edited by xukai
Link to comment

Hi,

Are there plans to upgrade the Zerotier version to 1.6.5 any time soon?

 

I'm having the Zerotier 'Coma' problem where some hosts can't communicate with others in the same network, and the upgrade to 1.6.5 is recommended.  I've tried downgrading one other host to 1.6.2 and it fixed the problem, for a while.

 

Cheers,

Russell

Edit: new version available.

Edited by Russell_C
Version update
Link to comment
  • 2 weeks later...
On 4/13/2021 at 10:16 AM, Russell_C said:

Hi,

Are there plans to upgrade the Zerotier version to 1.6.4 any time soon?

 

I'm having the Zerotier 'Coma' problem where some hosts can't communicate with others in the same network, and the upgrade to 1.6.4 is recommended.  I've tried downgrading one other host to 1.6.2 and it fixed the problem, for a while.

 

Cheers,

Russell

Same. It was working but after one day, I cannot connect to my unraid server anymore. An upgrade will be very much helpful.

Link to comment
On 4/1/2021 at 7:14 PM, chortya said:

Hi all,

I have succesfully configured ZeroTier and can access my Unraid server from my mobile phone outside of my wifi. But I need some help to define the route to the rest of the network outside of the Unraid IP.

 

Unraid is part of 192.168.1.x, I can access all services running on the Unraid services but not any other IPs in the subnet.

I have tried to run the user script/commands to setup a route with IPtables but it did not work. I would like to use the GUI to have better control over this but I am not sure what do I need to add in the "Routing table" under "Network settings".

Thanks in advance!

This cannot be solved with unraid network settings.

In order for other clients in your IP-Segment, their gateway (aka your router, 192.168.1.1), needs to know the route back to the zt-transfer net and the zt-client on unraid as the gateway to the "other side"..

 

  • Thanks 1
Link to comment

Thank you Dmitry!

 

That's fixed my connectivity issue.

 

Hint for those who are having similar issues:  Stop the new Zerotier container and empty the peers.d directory (/mnt/user/appdata/zerotier/zerotier-one/peers.d in the Unraid command window).

Once restarted, Zerotier will repopulate this directory.  The same thing may be necessary at the other end(s) too.

In my instance, success was indicated by my peers no longer appearing as RELAY hosts, but as DIRECT.

 

1ffxxxx11d 1.6.5  LEAF      -1 RELAY

becomes:

ddfxxxxc57 1.6.5  LEAF      -1 DIRECT 6090     16835    192.168.1.xxx/20052

 

Happy sailing,

Russell.

 

  • Like 1
  • Thanks 1
Link to comment
  • 1 month later...

 Sorry for not getting back any sooner, I really tried it a lot of times but can't get to the desired results; to recap: 

On 3/23/2021 at 2:04 PM, Ford Prefect said:

So 10.1.30.249 is the ZT-Client / the ZT-Docker IP on your unraid host?

What network did you choose as transfer network in ZT central?

The ZT-Node/docker resides on my unraid-box with a bridged-connection

- 10.1.100.201 vlan-100

- ZT-IP 192.168.191.2

 

 

Quote

Do you have another client, like a laptop and installed the ZT-client on it and are you able to connect and ping the 10.1.30.249 IP or any other IP on your VLAN3??

Preferably from outside of your own network, via a 3G/4G connection or remote (W)LAN at a friend's or family place?

 

This would be the first step you need to achieve.

I have 3 ZT-Nodes

- ZT-Docker on unraid

--10.1.100.201 vlan-100

--ZT 192.168.191.2

 

- ZT-App on Windows

--192.168.90.1 vlan-90 / Mobile 4G Hotspot

--ZT 192.168.191.3

 

- ZT-App on Android

--Mobile 4G

--ZT 192.168.191.4

 

All on Version 1.6.5, Online, with Public-IP listed (wasn't the case when the zt-docker was in a vpn'd vlan);

All devices can ping each other trough their ZT-IP with ping not higher than 128ms.

 

Quote

Zero-Tier is a LAN...in order to limit access to individual hosts in a network/LAN behind a zt-client, you should put the zt-docker in an additional, separate (V)LAN, different from VALN3 and let the firewall rules in your pfense decide which hosts are reachable/allowed from that zt-(V)LAN into your VLAN3.

My Plex-Server on unraid

- 10.1.30.1 vlan-30

 

My ZT-Node on unraid

--10.1.100.201 vlan-100

 

pfSense let's pass traffic from vlan-100 to Plex-IP in vlan-30; this is now setup and working without problems. The ZT-docker can ping Plex.

 

Quote

Example (your zt-network IP in the range of 192.168.99.0/255.255.255.0):

 

Your PFsense/VLAN3 (10.1.30.1) - zt-docker (10.1.30.249 + zt-net-ip 192.168.99.2) - zt-central - zt-client-Laptop (zt-net-ip 192.168.99.22 - LAN-IP 192.168.1.120) - remote LAN gateway (192.168.1.1)

 

So, for the laptop to be able to reach your VLAN3, define (in ZT-central) the route to 10.1.30.0/24 with gateway=192.168.99.2 and of course the other path for returns (net 192.168.1.0/24 with gateway 192.168.99.22)

But wait, this is only half of the story ;-)

 

...second half of the story:

 

In order for IP packets to be able to reach in return from VLAN3 -net back to remote LAN 192.168.1.0/24, of course the router which is hosting VLAN3 needs to know the routes to zt-central (using the zt-client docker IP as gateway) as well.

That means, your pfsense needs to be part of the game as well ;-)

And should you wish the same for more hosts on the remote network and not just the laptop running zt-client, the remote router as well (which would form a true site2site connection)

 

That is the proper way of doing it, I think and also easier to maintain, should things change.

 

...I hope I was able to shed same light to the story. However, I will/can not help with your pfsense...I am a Mikrotik person ;-)

And here I'm stuck: In my desired scenario I'd like to have this one and only ZT-Node/docker to route all the other ZT-Nodes to my Plex instance; as much as I understand from your statements (marked bold) do I need to setup a route for every node I let into my private-sdn?

 

In it's core all I want to accomplish is to use the ZT-Node on Unraid (vlan-100) let all other ZT-Nodes access Plex (vlan-30) without much more than confirming those ZT-Nodes in ZT-Central.

Thanks for your help so far @Ford Prefect!

Thanks a lot for reading so far

Edited by Hank Moody
Link to comment
30 minutes ago, Hank Moody said:

 Sorry for not getting back any sooner, I really tried it a lot of times but can't get to the desired results; to recap: 

The ZT-Node/docker resides on my unraid-box with a bridged-connection

- 10.1.100.201 vlan-100

- ZT-IP 192.168.191.2

...so, this has moved since last time.

Nevertheless, this means that from inside your ZT-network, each ZT-client will have to use IP 192.168.191.2 as gateway for any host or network you would like to access via the ZT-docker.

 

30 minutes ago, Hank Moody said:

- ZT-App on Windows

--192.168.90.1 vlan-90 / Mobile 4G Hotspot

--ZT 192.168.191.3

just to clarify...vlan-90 also resides somewhere in your network and this client will connect, when on a premise local to that network i.e. via WLAN to vlan-90 or will it use a VPN as well when abroad?

When abroad, what networks will it connect to simultaneously - vlan-90 via VPN *PLUS* ZT via zt-client or only one at a time?

When connected to vlan-90 only, do you wish it to be able to connect to plex as well?

 

30 minutes ago, Hank Moody said:

- ZT-App on Android

--Mobile 4G

--ZT 192.168.191.4

OK, this is the one parent, with a remote devioce that should be able to access plex, right?

 

30 minutes ago, Hank Moody said:

All on Version 1.6.5, Online, with Public-IP listed (wasn't the case when the zt-docker was in a vpn'd vlan);

All devices can ping each other trough their ZT-IP with ping not higher than 128ms.

...good.

30 minutes ago, Hank Moody said:

 

My Plex-Server on unraid

- 10.1.30.1 vlan-30

 

My ZT-Node on unraid

--10.1.100.201 vlan-100

 

pfSense let's pass traffic from vlan-100 to Plex-IP in vlan-30; this is now setup and working without problems. 

OK, see me remark regarding clients in vlan-90 above.

Also: ZT is not doing NAT, so ZT clients will connect to any service with IPs from the 192.-168.191.0/24 range.

So you want pfsense to allow traffic originating from 192.168.191.0/24 and destination 10.1.30.1 (plex)

 

30 minutes ago, Hank Moody said:

In it's core all I want to accomplish is to use the ZT-Node on Unraid (vlan-100) let all other ZT-Nodes access Plex (vlan-30) without much more than confirming those ZT-Nodes in ZT-Central.

...then, in ZT central add a single route to the plex host 10.1.30.1/32 with gateway 192.168.191.2 (which is your zt-docker).

Note: since plex-docker and zt-docker do reside on the same unraid box, unraid (might) have a direct/local route available.

See my next response, below.

 

30 minutes ago, Hank Moody said:

And here I'm stuck: In my desired scenario I'd like to have this one and only ZT-Node/docker to route all the other ZT-Nodes to my Plex instance; as much as I understand from your statements (marked bold) do I need to setup a route for every node I let into my private-sdn?

 

please Check the routes on unraid host (what is the output of "route -n" via command line)?

 

We need to find out which path packets from zt-clients go when trying to reach plex and also which way return packets from plex go, trying to get back to a zt-client. Here the correct gateway is 10.1.100.201 (the "iunraid"-side/IP of your zt-docker). 

All will depend on the routing table if unraid can identify the route/path locally or will use the default gateway (your pfsense).

  • Thanks 1
Link to comment
2 hours ago, Ford Prefect said:

...so, this has moved since last time.

Nevertheless, this means that from inside your ZT-network, each ZT-client will have to use IP 192.168.191.2 as gateway for any host or network you would like to access via the ZT-docker.

Do I have to toggle anything in the ZT-Clients or is this done via ZT-Central?
TM9am0d.png

 

Quote

just to clarify...vlan-90 also resides somewhere in your network and this client will connect, when on a premise local to that network i.e. via WLAN to vlan-90 or will it use a VPN as well when abroad?

This is a local vlan, every client when away would connect via ZT.

 

Quote

When abroad, what networks will it connect to simultaneously - vlan-90 via VPN *PLUS* ZT via zt-client or only one at a time?

^Only one at a time

 

Quote

When connected to vlan-90 only, do you wish it to be able to connect to plex as well?

When I'm connected to vlan90 locally I have the fw-rules allowing me access to plex on vlan30

 

Quote

OK, this is the one parent, with a remote devioce that should be able to access plex, right?

Exactly

 

Quote

Also: ZT is not doing NAT, so ZT clients will connect to any service with IPs from the 192.-168.191.0/24 range.

So you want pfsense to allow traffic originating from 192.168.191.0/24 and destination 10.1.30.1 (plex)

I tried my best, is this rule ok?
Alias zt_net_plex = 192.168.191.0/24
Alias media = 10.1.30.1

I'm unable to ping plex over zerotier..:/

HcZTREq.png

 

Quote

...then, in ZT central add a single route to the plex host 10.1.30.1/32 with gateway 192.168.191.2 (which is your zt-docker).

Note: since plex-docker and zt-docker do reside on the same unraid box, unraid (might) have a direct/local route available.

See my next response, below.

qlOJeQA.png

Quote

please Check the routes on unraid host (what is the output of "route -n" via command line)?

 

We need to find out which path packets from zt-clients go when trying to reach plex and also which way return packets from plex go, trying to get back to a zt-client. Here the correct gateway is 10.1.100.201 (the "iunraid"-side/IP of your zt-docker). 

All will depend on the routing table if unraid can identify the route/path locally or will use the default gateway (your pfsense).

ExXgjpR.png

FYI I'm using 3 eth-ports, whereas only port-1 is used/bridged for docker;
- I have absolutely no clue where 172.17.0.0 and 192.168.122.0 come from (sweating a little bit..)


Man, THANK YOU!! :) I owe you a lot

Edited by Hank Moody
Link to comment
1 hour ago, Hank Moody said:

Do I have to toggle anything in the ZT-Clients or is this done via ZT-Central?
TM9am0d.png

NO, this should be OK on client side. 

 

1 hour ago, Hank Moody said:

I tried my best, is this rule ok?
Alias zt_net_plex = 192.168.191.0/24
Alias media = 10.1.30.1

...this is with pfsense? I have no clue how routes are defined or even worse, firewall rules....BSD-style is something that never got sticky in my head, sorry.

 

This is the required logic...if an alais will help, just do/use it.

You need, in your pfsense firewall, to (if not allowed by default):

 

- allow forwarding of packets originating from zt_net_plex (state=new, incoming over vlan-100) to plex/media, IP 10.1.30.1.

- allow forwarding packets originating (state=established, =related, not=new, not=invalid) from plex/media to zt_net_plex 

 

Also, in your pfsense routing table:

- create a static route to zt-net_plex 192.168.191.0/24 with gateway 10.1.100.201 (unraid-zt-docker).

 

1 hour ago, Hank Moody said:

I'm unable to ping plex over zerotier..:/

because each connection needs a path towards its destination and for returns as well.

See my remarks above....at least that static route via zt-docker seems to be missing in pfsense.

 

1 hour ago, Hank Moody said:

 

qlOJeQA.png

...that looks OK now. Every zt-client trying to reach plex will direct the connection via zt-docker interface ... just make sure, that this IP 192.168.191.2 is allocated as static in zt-centtal ;-)

 

1 hour ago, Hank Moody said:

ExXgjpR.png

here you can see, that on the unraid host, there is no known route to zt-network (192.168.191.0/255.255.255.0).

Hence you need to route traffic via your pfsense...create the static route as described above....plex and zt-clients will, based on that routing table on your unraid host, direct outgoing traffic to your pfsense (the default gateways 10.1.30.254 / 10.1.100.254).

 

1 hour ago, Hank Moody said:

- I have absolutely no clue where 172.17.0.0 and 192.168.122.0 come from (sweating a little bit..)

these are default interfaces/IP-nets for Docker and Virtual-Machines, for when no custom network is used ... don't worry. 

 

....looks like you "only" need to get your pfsense setup updated. Unfortunately, I am not familiar with these, sorry.

  • Thanks 1
Link to comment
  • 2 months later...
3 hours ago, Braulio said:

I started the ZeroTier container in unraid and now I can't connect through the web to manage the unraid.

How to solve this? I can't restart the unraid because it doesn't access anything.

 

Hi Braulio, connect a Keyboard and monitor to your unraid server and stop zerotier container through the terminal console.

 

Link to comment
3 hours ago, DjBill said:

 

Hi Braulio, connect a Keyboard and monitor to your unraid server and stop zerotier container through the terminal console.

 

I didn't make it. Start in visual mode (second option) and it doesn't open.

Inside the pendrive, what is the docker file? I can delete?

 

Maybe I can edit the zerotier XML on the flash USB and change "load auto" to false.

Do you know where in xml?

Edited by Braulio
Link to comment
10 hours ago, DjBill said:

...

...

...

Em seguida, no console, vá para / boot / config / plugins / dockerMan / templates-user e exclua o arquivo my- [nome do docker] .xml.

 

I managed to stop the docker. Thanks

But I tried to connect again and the same error happened.
Why when I connect the zerotier unraid it loses the connection?

Link to comment
  • 3 weeks later...

Hi! Thanks to bring this app to Unraid, It's a great solution for people like me that don't want to deal with more complex VPNs.

 

I spent some days reading this topic but I'm having trouble to set up your container. If I used it as a Host network it goes always as Offline mode, if I use it as Bridge it connects and I can ping it from other devices with the ZT ip for the container, but I don't have access to Unraid webgui, I only can access to containers that I use with the parameter "-net=container:ZeroTier" but seems not to comunicate with Unraid it self.

 

I can access, without problem, other servers at home that I install ZeroTier as a service, like one server that has OMV 5 installed (Raspberry Pi Debian). And my computers (Macos) can access each other wihtout problem with the ZT lan. I can share files, remote control display...)

 

Maybe is something related to that my LAN is behind a double-nat router system. As I got connected by an Ubiquiti "LiteBeam 5AC Gen2" antenna that I don't control, which is plugged to my pfSense router on the WAN port.

For example to use Plex remotely I had to ask my ISP to open the Plex port and port-forward it to my Unraid server on the pfSense router.

But if this is the case, I don't get why my Raspberry Pi with ZeroTier as services conects fine.

 

I also tried to use the 1.6.2 tag but without luck, so I guess is something related to my setup.

 

Hope someone can get me on the right direction. Thanks in advance!

Captura de pantalla 2021-09-12 a las 12.32.54.png

Captura de pantalla 2021-09-12 a las 12.33.28.png

Captura de pantalla 2021-09-12 a las 12.38.27.png

 

EDIT:

After one hour running the docker container on Host mode, seems to be connected right now. Maybe in my case it took longer to connect on Host mode, strange. I have access to Unraid Webgui and can ssh using 4g phone connection.

 

Hope it still running without problems.

I'm going to leave this post as maybe someone with same problem can just try to leave it running for a while.

 

EDIT 2:

Now seems not be connecting again. For no reason.

Edited by guillelopez
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.