why am I able to scan and connect to devices that do not belong to my own network through zerotier?

[ufk119]

Hello！ I have encountered a confusing issue while using zerotier, could someone who knows about it please help me solve it? I am not sure if this is a bug or not. I created a zerotier VPN network in the console and set it to private. The subnet was set to 192.168.191.0, and I joined this network on my computer. Using an advanced port scanning tool called "Advanced Port Scanner," I scanned the network and discovered many devices, many of which could be connected as long as their ports were open. Is this normal or am I doing something wrong? Based on my understanding, different VPN networks should be isolated from each other.

[ufk119]

here is a screeshot

[laduke]

That's not something zerotier would do. Unless you really have that many devices on your zerotier network. Not sure what it could be. Let us know if you find out.

[erikh]

Just guessing, he's probably looking at the wrong subnet.

------- Original Message ------- On Wednesday, March 8th, 2023 at 8:03 AM, Travis LaDuke @.***> wrote:

That's not something zerotier would do. Unless you really have that many devices on your zerotier network. Not sure what it could be. Let us know if you find out.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ufk119]

That's not something zerotier would do. Unless you really have that many devices on your zerotier network. Not sure what it could be. Let us know if you find out.

thanks. I was newly create a vpn,set private,and just one device joined to it ,and that is my test result. And i tested few times at different subnets. Confused!!!

[glimberg]

I've never used this tool you're using, but if I had to hazard a guess, it's probably sending out the scanning requests out of your primary phsycial network interface, and those are machines somewhere on your ISP's internal network. Part of your ISP's internal network range just happen to fall within the same private IP address range of your ZeroTier network.

The way to verify this is by doing a trace route (tracert from a Windows command prompt) to one of the hosts. If it's over Zerotier, there will only be a single result along. Here's an example to a host that is on one of my ZeroTier networks:

traceroute to 10.6.6.59 (10.6.6.59), 30 hops max, 60 byte packets
 1  10.6.6.59  17.503 ms  17.484 ms  17.480 ms

If there are multiple hops, where the first one is your router's IP address, its going through your router and not through the ZeroTier network at all:

 traceroute to 10.100.0.1 (10.100.0.1), 30 hops max, 60 byte packets
 1  10.0.0.1  0.400 ms  0.640 ms  0.481 ms
 2  10.71.156.1  8.530 ms  13.034 ms  8.477 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  *^C

[ufk119]

I've never used this tool you're using, but if I had to hazard a guess, it's probably sending out the scanning requests out of your primary phsycial network interface, and those are machines somewhere on your ISP's internal network. Part of your ISP's internal network range just happen to fall within the same private IP address range of your ZeroTier network.

The way to verify this is by doing a trace route (tracert from a Windows command prompt) to one of the hosts. If it's over Zerotier, there will only be a single result along. Here's an example to a host that is on one of my ZeroTier networks:

traceroute to 10.6.6.59 (10.6.6.59), 30 hops max, 60 byte packets
 1  10.6.6.59  17.503 ms  17.484 ms  17.480 ms

If there are multiple hops, where the first one is your router's IP address, its going through your router and not through the ZeroTier network at all:

traceroute to 10.100.0.1 (10.100.0.1), 30 hops max, 60 byte packets
1  10.0.0.1  0.400 ms  0.640 ms  0.481 ms
2  10.71.156.1  8.530 ms  13.034 ms  8.477 ms
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  *^C

Seems like you're right! Thank you very much! I followed your instructions and tested, which confirmed that it was going through the phsycial network interface instead of the ZeroTier network. Moreover, I also noticed that a large number of devices under the same ISP had coincidentally occupied the same ZeroTier subnet as the one I tested, which can explain why the scan and connection were successful.

What a hilarious mistake!