search

mwarning / zerotier-openwrt

A OpenWrt package for ZeroTier One - Pull requests are welcome!
695 stars 146 forks source link

L2 Bridge to LAN #70

Closed fundef1 closed 4 years ago

fundef1 commented 4 years ago

Hi, I have an unusual openwrt setup and can't get zerotier to bridge into my lan. Hope you guys can help me out.

Config prior to installing ZT. providerrouter@10.0.0.1-wrt@10.0.0.2-LAN:10.0.0.0/16 wrt runs DNS/DHCP and declares 10.0.0.1 as gateway. wrt only has a br-lan interface bridging all ports/wifi together and also runs a transparent firewall using iptables and --physdev to identify the ports and allow/drop traffic. (i'm not using the built-in zone-based firewall) this setup works fine. (although, just to be sure i have disabled the firewall altogether) `~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination `

i've installed ZT, and the connection seems fine: ~# zerotier-cli info 200 info <id> 1.4.6 ONLINE then I added the ztxxxx interface to the bridge: snippet from /etc/config/network config interface 'lan' option type 'bridge' option proto 'static' option ip6assign '60' list dns '1.1.1.1' option gateway '10.0.0.1' option ip6ifaceid '::2' option ipaddr '10.0.0.2' option netmask '255.255.0.0' option ifname 'eth0.1 eth1.2 ztxxxxxxxxx' note, i did not create an "interface" for ztxxxxxx

on the ZT portal I defined a managed route 10.0.0.0/15 (lan) "allow ethernet bridging" on wrt and "do not assign ip" are checked (although i did set the ip to 10.0.0.0.2) the other IPs are assigned from 10.0.10.1-10.0.10.254

the end-result: (thanks for reading this far) I can access LUCI on 10.0.0.2 but can't access any other device in the LAN.

I'm guessing the ztxxxxxxx in the lan definition isn't correct, but i'm at a loss on how to correct it. any help much appreciated.

ogarcia commented 4 years ago

As I can read, you have defined your network as 10.0.0.0/16, but your zt network as 10.0.0.0/15, this does not have much impact if your IPs are always 10.0.x.x, but only for make sure that not is having some strange.

From your router you can ping ZT and LAN?

fundef1 commented 4 years ago

thanks for the comment. I thought the recommendation was to set the managed route 'one larger' , but to be honest i'm not entirely clear on what the managed route on the ZT portal accomplishes here.

' FAQ Why is the Managed Route /23 and the LAN subnet /24?

Say you have a laptop that is on the ZeroTier network and you bring it home. Now it’s WiFi address and ZeroTier address are in the same subnet. Which interface/address should your laptop use for internet access? https://en.wikipedia.org/wiki/Longest_prefix_match '

anyway, I think I have resolved the issue (sleep always helps) : the server I was trying to reach didn't get its subnet mask from DHCP but was fixed to (the old) /24 - 10.0.0.3/24 and was sending reply traffic to its gateway instead of ZT 'lan' device.

now the ZT device can reach the LAN and LAN devices can reach ZT w/o issues. thanks.