The ZeroTier Relay fails to route packets between devices that are IPv4 and IPv6 only.

Setup

Two devices were involved in this particular setup.

Device A

This device is behind pfSense box, which has an IPv4 and IPv6 address. The pfSense box is configured with UnPnP & NAT-PMP enabled, but disabled by ACL for the ZeroTier device in question.

In other words, pfSense is configured to allow UnPnP/NAT-PMP for devices that aren't running ZeroTier.

ZeroTier displays the IPv4 addresses in the web panel.

Device B

Device B is in a network environment where IPv6 is not deployed natively, it doesn't have a true IPv6 address.

What Happened

Device B tried to connect to Device A, a direct connection could not be established, as Device B has no workable IPv6 address, and Device A has no workable IPv4 address.

The relay was unable to handle even a basic ping between these devices (and peers regularly disappeared).

Expected Behavior

I would expect the relay servers to translate between the IPv4 address of Device B and the IPv6 address of Device A.

Confirmation of the Problem

I was able to connect a cloud server with an IPv6 address into the network, connect into Device A over this IPv6 <-> IPv6 connection, and using SSH forwarding, connect into the router, open up the UnPnP/NAT-PMP rules, and then reboot ZeroTier on Device A.

Once this was done, ZeroTier correctly mapped a port on the router, and communication between Device A <-> Device B was direct, and functional.

Curiously (and additionally) devices similar to Device A require restart of the ZeroTier One service before they start routing. It's possible the issue here is less of an issue with relaying, and more an issue of the ZeroTier service believing it has a working IPv4 connection, when in reality it doesn't (perhaps as a detail of the pfSense UnPnP/NAT-PMP ACL implementation).

zerotier / ZeroTierOne