search

zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.47k stars 1.69k forks source link

Unable to connect from a network that blocks ICMP packages #2156

Open BrandonStudio opened 1 year ago

BrandonStudio commented 1 year ago

I have physical network A, B, C, all of which have public IPv6 addresses. Network B blocks all ICMP packages.

In network A and C, my device can connect to zerotier without problem.

In network B, my device cannot connect to zerotier: if the device just switched from A to B, the desktop UI report status OK, but ZeroTier Central says it is not online; if I restart zerotier service in network B, the desktop UI report status REQUEST_CONFIGURATION, forever. This is seen on version 1.10.6 and 1.12.2.

When I downgrade to 1.4.6, the device becomes able to connect to zerotier.

I guess the problem is about ICMP because I saw the firewall rule and I know network B blocks ICMP (e.g. you can't ping anything). I also guess that zerotier has changed its way to connect to a way that uses ICMP from a specific version, before which it had a way different from ICMP.

I want to know which the specific version is, and I hope that you can add a fallback way to connect.

laduke commented 1 year ago

Thanks for reporting. I think the ICMP part might be a "red herring". We haven't heard similar and 1.4.6 was many years ago. So there may be some other factor in network B's firewall. ZeroTier uses only UDP. Unless no connection to anything can be made, then it falls back to TCP.

It does sound like something is getting stuck in a buggy way though.

https://github.com/zerotier/ZeroTierOne/tree/main/tcp-proxy might help

BrandonStudio commented 1 year ago

Thanks for your reply. I thought this is about ICMP because I know (1) network B blocks it, (2) I saw two ICMP firewall rules. Could you please tell me what does ICMP do during or before connection?

But I am quite sure now that this is a version-related problem; otherwise, it doesn't make sense that connection succeeded as soon as I downgraded it to 1.4.6 from 1.12.2. And I think it succeeded not because of reinstallation, because I was using 1.10.6 when I found no connection, then I upgraded it to 1.12.2. But I WILL test it again, see if installation after an uninstallation would work.

I uses 1.4.6 because I once used it and I remember it worked. I'm going to test different versions between 1.4.6 and 1.10.6, when I have time, to find out the specific version, after which connection fails.