Closed ezar closed 1 year ago
mwarning
commented
5 years ago yes, you should be able to bridge the zerotier interface to the port of your openwrt router and let the other router in your network distribute IP addresses. If I understand you correctly that is.
ezar
commented
5 years ago I open 9993 UDP port at 192.168.1.1 and redirect to 192.168.1.10. In 192.168.1.10 I make all wiki configurations, but when I connect to zerotier I cannot see 192.168.1.0/24 IPs.
I only see daemon.err zerotier-one[1840]: connect: Connection refused
Can you have ideas?
ezar
commented
5 years ago Do I need to enable Bridging?
mwarning
commented
5 years ago @ogarcia do you understand the scenario ezar is trying to describe?
ezar
commented
5 years ago I'm trying to explain....
Router WAN - LAN: 192.168.1.1 (internet company router). Here I redirect 9993 UDP port to 192.168.1.10 OpenWRT (configured for AP wifi): 192.168.1.10. Here I install zerotier using the wiki manual. zt network works.
At this situation, If I connect a phone to zerotier network, I can access to 172.28.28.1 (openwrt IP at zerotier), and I can access to 192.168.1.10 (openwrt IP using zerotier route). The problem is that I can't access any other IP (192.168.1.0/24) in my network using the zerotier.
Regards,
ogarcia
commented
5 years ago @ezar you must define a route in ZeroTier Central: 192.168.1.0/24 vía 172.28.28.1 (OpenWRT IP at ZeroTier) Next you must sure that you have defined a vpn zone attached to zerotier interface and with forward enabled from and to lan.
ezar
commented
5 years ago @ogarcia I set it up by following your fantastic manual.
ZeroTier config:
OpenWrt config:
I change to 172.22.22.1 for testing.
Using iPhone 4G connected to ZeroTier I can only make ping to 192.168.1.10 (openwrt).
Regards,
ogarcia
commented
5 years ago Is strange, you have all configured well. Your ZeroTier network is linked with ztXXXX interface?
In /etc/config/network is something like this:
config interface 'ZeroTier'
option proto 'none'
option ifname 'ztXXXXXXXX'Because I suppose that you can ping your machines from your OpenWRT router
ezar
commented
5 years ago Is strange, you have all configured well. Your ZeroTier network is linked with ztXXXX interface? In
/etc/config/networkis something like this:config interface 'ZeroTier' option proto 'none' option ifname 'ztXXXXXXXX'
Yes!
config interface 'ZeroTier'
option ifname 'ztxxxxxxxxxx'
option proto 'none'Because I suppose that you can ping your machines from your OpenWRT router
Yes.
ogarcia
commented
5 years ago I have no idea that can be failing. All is well configured. :disappointed:
Can you try using a PC instead an iPhone as client? To execute ip route and tracepath.
mwarning
commented
4 years ago Any updates?
ezar
commented
4 years ago No. I cannot resolved it
ogarcia
commented
4 years ago @ezar can you try using a PC as client?
dxmann
commented
2 years ago Same problem... any update?
ogarcia
commented
2 years ago @dxmann we need more info
Can you execute ip route in your client?
In ZeroTier Central do you check Allow Ethernet Bridging in your router entry in members list?
dxmann
commented
2 years ago ZeroTier Center: openwrt device has fixed ip (172.25.0.1) and "allow ethernet bridging" enabled Openwrt dev: zerotier ip: 172.25.0.1 lan ip: 192.6.21.194
root@OpenWrt:~# ip route
default via 192.6.21.254 dev br-lan proto static src 192.6.21.194
172.25.0.0/24 dev ztr4nq3plz proto kernel scope link src 172.25.0.1
192.6.21.0/24 dev br-lan proto kernel scope link src 192.6.21.194
root@OpenWrt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:d8:12:67:24:0d brd ff:ff:ff:ff:ff:ff
inet6 fe80::bad8:12ff:fe67:240d/64 scope link
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b8:d8:12:67:24:0d brd ff:ff:ff:ff:ff:ff
inet 192.6.21.194/24 brd 192.6.21.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::bad8:12ff:fe67:240d/64 scope link
valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether b8:d8:12:67:24:0d brd ff:ff:ff:ff:ff:ff
7: ztr4nq3plz: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 5e:bf:92:d9:2e:7e brd ff:ff:ff:ff:ff:ff
inet 172.25.0.1/24 brd 172.25.0.255 scope global ztr4nq3plz
valid_lft forever preferred_lft forever
inet6 fe80::20b7:40ff:fe22:224a/64 scope link
valid_lft forever preferred_lft forever
8: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether b8:d8:12:67:24:0c brd ff:ff:ff:ff:ff:ff
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'ztr4nq3plz'
list network 'lan'
list network 'wifi1'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-ZeroTier-Inbound'
list proto 'udp'
option src '*'
option dest_port '9993'
option target 'ACCEPT'@dxmann you need a new interface for zerotier and a new zone for forwarding between zerotier and lan.
/etc/config/network:
config interface 'ZeroTier'
option ifname 'ztr4nq3plz'
option proto 'none'/etc/config/firewall:
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
list network 'zerotier'
option forward 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'And remove list device 'ztr4nq3plz' from lan zone
dxmann
commented
2 years ago ok, now I have
root@OpenWrt:~# ip route
default via 192.6.21.254 dev br-lan proto static src 192.6.21.194
172.25.0.0/24 dev ztr4nq3plz proto kernel scope link src 172.25.0.1
192.6.21.0/24 dev br-lan proto kernel scope link src 192.6.21.194
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wifi1'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-ZeroTier-Inbound'
list proto 'udp'
option src '*'
option dest_port '9993'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'ZeroTier'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'So now you have everything configured correctly. You should be able to reach the 192.6.21.0/24 network from the zerotier network.
If not you should look at the client (the device you are trying to reach your network from) to see what the ip route command says and even try to run a tracepath.
dxmann
commented
2 years ago I'm trying to ping and trace from an android device with Fing as app... i can reach 192.6.21.194 with both tools but no one of other lan ip
ogarcia
commented
1 year ago From what you say it seems that the problem is that your android client is not receiving correctly the route that tells him that to reach the network 192.6.21.0/24 must use the IP 172.25.0.1.
In ZeroTier Central I understand that you have entered the route in Managed Routes? Destination: 192.6.21.0/24 Via: 172.25.0.1
dxmann
commented
1 year ago From what you say it seems that the problem is that your android client is not receiving correctly the route that tells him that to reach the network 192.6.21.0/24 must use the IP 172.25.0.1.
yes
In ZeroTier Central I understand that you have entered the route in Managed Routes? Destination: 192.6.21.0/24 Via: 172.25.0.1
Yes. I have added 172.25.0.1 as bridge too.
My phone is only a test: if it works I'll try to perform another kind of connections between PCs and IoT
dxmann
commented
1 year ago The strange thing is that the traceroute knows that the end device is under the openwrt dev, so from the phone the route reaches the openwrt router but after that nothing else... so I think that there is something not configured or configured badly. I tried adding routing rules and static routes too but without success. Zerotier dev is under vpn zone and lan bridge under lan zone: should they are placed in the same zone in order to share packets?
ogarcia
commented
1 year ago Zerotier dev is under vpn zone and lan bridge under lan zone: should they are placed in the same zone in order to share packets?
That is correct. You need each one to have its own zone and forward between them because you have different addressing.
The only thing I can think of is that your main router (the one that gives you internet) is "stopping" the packets that reach you through the VPN. Try to physically connect your OpenWrt router to some device and try to ping from/to it.
dxmann
commented
1 year ago This morning I have done this test: phone hotspot > linux wifi (?.?.?.?)> shared ethernet connection (10.42.0.1) > openwrt (eth 10.42.0.21, zt 172.25.0.1) from another pc on another net, connected with zerotier (172.25.0.201). On ZeroTier Central I have added a route to 10.42.0.0/24 through 172.25.0.1; 172.25.0.1 is checked as bridge. On OpenWRT I added a relay bridge between lan bridge and the zt interface. With this configuration I can
EDIT: with or without relay bridge between zt and lan the result does not change
ogarcia
commented
1 year ago Maybe the problem is in 10.42.0.1 which does not allow masked connections. That's why I told you to connect something (a PC or similar) directly to the OpenWrt router to test.
The truth is that I can't think of anything else, because all the configuration seems to be correct.
dxmann
commented
1 year ago OK WORKS!!!
Before: I have canceled the whole configuration; after that I have re-created the config as in the tutorial. phone (zt)> zerotier cosmos > (zt) openwrt (lan) > pc (lan). Openwrt does not work as rouer but is a common connected device.
What's happen?
So I can resolve this in two ways:
Network > Firewall i have set to masquerade lan > vpn. At this time it is not important to masquerade vpn > lan
hithamadel2004
commented
1 year ago OK WORKS!!!
Before: I have canceled the whole configuration; after that I have re-created the config as in the tutorial. phone (zt)> zerotier cosmos > (zt) openwrt (lan) > pc (lan). Openwrt does not work as rouer but is a common connected device.
What's happen?
- I can ping openwrt zt interface
- I can ping openwrt lan interface
- I cannot ping pc (lan interface): exactly the pc can receive the ping request with src ip= zt phone ip! so the response pin was sent from the pc to the lan gateway!
So I can resolve this in two ways:
- set a route configuration on the pc (works with pc modification)
- masquerade the traffic from openwrt.zt: all packets from zt net will be masqueraded as sent from openwrt's lan interface (works without pc modification); I have achievend this config in this way: on
Network > Firewalli have set to masqueradelan > vpn. At this time it is not important to masqueradevpn > lan
Hello dxmann I need to do that Can you give me a screenshot of the firewall and netwrok interface?
Hi, Can I use this config (https://github.com/mwarning/zerotier-openwrt/wiki) to reach LAN-IPs (192.168.1.0/24) if we dont use OpenWRT as a Router?
I have a company router at 192.168.1.1 and OpenWRT AP LAN connection at 192.168.1.10.
Regards,