Controller

[willuk2010]

Hey @ChanceM

Good work on this, i managed to build and deploy this on my pfSense router this evening, and i am able to connect to networks fine on the Zerotier dashboard.

But i'm trying to get the Controller working, i'm able to set up a controller network, but the client (on my iphone) just shows Network not Found.

I must be missing something, or my understanding of how the controller works.. my assumption was i could create a controller network from pfSense, connect my clients (phone etc), and allow access to my devices behind the pfSense firewall.

Cheers!

[willuk2010]

Ok scrap the above, i restarted zerotier on pfSense, and now the clients can find the network and connect, and i am able to authorise them, however no clients appear to get an ip address.

[willuk2010]

Ok im close!

I read the documentation on how to set up a controller manually using curl, so I was able to set the ip range's and rouite, which means I can now get a client registered to my controller, authorised, and an IP is given. but I cant ping any of them.

one thing I noticed, if I connect to a network created at zerotier central, I get an interface called "zt1ocu1pr84r8o3" in pfSense but when I create my own controller, I get 2 interfaces created, "tap9994" and "tap9995" but they always stay disconnected with "no carrier".

[ChanceM]

I will have to spin up my VM and do some tests. I apologize for the delay in response just coming back from a vacation. You should get a zt interface that you can assign and then you will need to manually set the IP to the one given from zt and add rules allowing traffic.

[willuk2010]

No worries bud, hope you have had a good vacation!

Yeh i would have expected a zt interface, just like you do if you connect to a network using Zerotier Central using their controllers.. not sure why setting up your own controller creates the two "tap*" interfaces instead of the zt one.. I tried to look at how/where they are created but haven't figured that out yet.

[ChanceM]

So testing this, creating a network does in fact create a tap interface, but I only see one. Joining the network from the same device creates a ZT interface.

[knightian]

@ChanceM hello, thanks for this. How would we go about updating the package to v1.8.1?

[ChanceM]

@ChanceM hello, thanks for this. How would we go about updating the package to v1.8.1?

I believe 1.6.6 is the latest available FreeBSD 12.

[knightian]

So testing this, creating a network does in fact create a tap interface, but I only see one. Joining the network from the same device creates a ZT interface.

I have a zt interface and a tap interface after joining the network from the pfsense device. I assume we only use the zt interface set it up with the IP assigned from the controller and such? I'm getting direct connection to the controller but all other nodes have to relay to it and I can't ping in.

[knightian]

@ChanceM hello, thanks for this. How would we go about updating the package to v1.8.1?

I believe 1.6.6 is the latest available FreeBSD 12.

Yea seems that way, so after some research I learned how to compile 1.8.1 and build my own pkg for it. Working on my pfsense (I looked at the file structure of the v1.6.6 pkg and copied that in my pkg from the compiled bins)

Link to my pkg if anyone else wants it https://we.tl/t-tNOBIrdV9B

[knightian]

So testing this, creating a network does in fact create a tap interface, but I only see one. Joining the network from the same device creates a ZT interface.

I have a zt interface and a tap interface after joining the network from the pfsense device. I assume we only use the zt interface set it up with the IP assigned from the controller and such? I'm getting direct connection to the controller but all other nodes have to relay to it and I can't ping in.

Can confirm that at least when not running a controller on the pfsense device, it's safe to ignore the tap interface that shows up, just mount the ztxxxxxxxxxx interface that shows up and give it an IP in your zt network, assign it that same IP at the controller and then make your firewall rules correct and you're good :D (I just needed to tweak my firewall rules to fix the pinging in and relay vs direct etc).

v1.8.1 running fine.

[opnwall]

@knightian Your shared file has expired, the latest is 1.83, can you recompile and share it?

[knightian]

@knightian Your shared file has expired, the latest is 1.83, can you recompile and share it?

Heya the official package has been updated to 1.8.3 so if you use the url in the readme and change 1.6.6 to 1.8.3 in the url, it will add the latest official package.

@fxn2020

[opnwall]

@knightian I really don't have the energy to build the environment needed for compilation. Could you share the pfsense-pkg-zerotier.txz you compiled, thank you in advance. My email: fxneng@gmail.com

[brahmanggi]

@ChanceM hello, thanks for this. How would we go about updating the package to v1.8.1?

I believe 1.6.6 is the latest available FreeBSD 12.

Yea seems that way, so after some research I learned how to compile 1.8.1 and build my own pkg for it. Working on my pfsense (I looked at the file structure of the v1.6.6 pkg and copied that in my pkg from the compiled bins)

Link to my pkg if anyone else wants it https://we.tl/t-tNOBIrdV9B

hello @knightian the link expired I want to try it on my machine, thank you in advance

[opnwall]

I compiled one by myself, you can download it if you need it。pfsense-pkg-zerotier，zerotier1.83.txz

[brahmanggi]

I compiled one by myself, you can download it if you need it。pfsense-pkg-zerotier，zerotier1.83.txz

thank you very much, do I need to compiling again or is it already pkg files?

[opnwall]

@brahmanggi It has been compiled, downloaded and decompressed, uploaded to pfsense, installed in the shell environment, command: pkg install pfsense-pkg-zerotier.txz

[brahmanggi]

@brahmanggi It has been compiled, downloaded and decompressed, uploaded to pfsense, installed in the shell environment, command: pkg install pfsense-pkg-zerotier.txz

yes, I will try to upload to my pfbox, and again thank you very much

[knightian]

Just be mindful if you remove the package, it keeps the config for the zt interface still in the config.xml and next boot the device gets blocked asking you to reassign the interfaces because it can no longer find the zt interface that it has a config specified for.

This is something I encountered during upgrade. So if you are remote accessing the box or have no local video/serial console access then best you never uninstall the package once installed.

[ChanceM]

@knightian I'm looking at this. I think I can remove the interfaces on deinstall to hopefully prevent this.

Updated Package for Install: https://app.box.com/s/m3a6m081d1gjpxrwob6rktfilrktsrnn

[knightian]

@knightian I'm looking at this. I think I can remove the interfaces on deinstall to hopefully prevent this.

Updated Package for Install: https://app.box.com/s/m3a6m081d1gjpxrwob6rktfilrktsrnn

Thanks, does the new package you posted have this fix?

[ChanceM]

@knightian not yet this addition shows the interface associated with the network or a link to assign an interface for a new network, but that was just the first step getting the associated interface so I can remove them on deinstall.

[1ARdotNO]

This is great work! Appriciate it :-)

[knightian]

@ChanceM is that issue of the interface getting removed and screwing up pfSense updates being worked on? it makes using the zerotier pkg in the field untenable because whenever we update pfSense we would have to visit the site and physically reset up the pfSense device :(

[ChanceM]

@knightian I would love to say yes, but the reality is I do not have a whole lot of time to devote to it. I did dig a little bit into it tonight, but nothing new to report.

[opnwall]

@ChanceM In pfSense plus 23.01, the plug-in can no longer be installed and used normally, and I hope it can be updated in time