Unable to bridge

[outofsight]

Thanks for your work, but unfortunately I'm not able to use it. I'm running Proxmox VE on a minipc and a Debian VM with docker. I'm trying to run this zerotier container under this docker instance. I would like to setup a bridge to access all hosts in my LAN, on the same docker instance, or on other VM, or on other physical devices.

With the help of portainer I created and started a stack with te following compose file.

version: '3'
services:
  zerotier:
    container_name: zerotier-bridge
    image: zyclonite/zerotier:bridge-latest
    network_mode: host
    volumes:
      - '/data/zerotier:/var/lib/zerotier-one'
    devices:
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_ADMIN

I made the necessary steps to join a ZeroTier private network (with assigned IP range non conflicting with the one of LAN DHCP server, and with appropriate managed route) and authorized the bridge (allowing bridging) and all clients (mobile phone for test).

But from my phone (on mobile data) I'm unable to reach any LAN host and also the bridge itself (tried to ping, and to access other services on the same VM/docker instance).

From what I understand the ethernet interface ("ens18") get the ip address from LAN DHCP server as usual, and the zt interface ("ztbto2poqh") get the expected ip address as configured in my.zerotier.com.

But I don't know how to further investigate.

Any idea?

[zyclonite]

i would solve that without the -bridge version and configuring iptables for the routing

e.g.

-A POSTROUTING -o ens18 -j MASQUERADE
-A FORWARD -i ens18 -o ens18 -j ACCEPT
-A FORWARD -i ens18 -o zt+ -j ACCEPT
-A FORWARD -i zt+ -o ens18 -j ACCEPT

and do not forget to enable net.ipv4.ip_forward = 1

[outofsight]

Thanks for reply. This can be challenging for me :) but there is another problem before.

You write "routing" and these commands seems designed for "routing" but, with the -bridge version of the image, I was trying to make a "bridge", in the meaning of the ZeroTier guide you also linked.

According to the guide, I made my ZT network with the same IP network of my Physical lan, say

LAN: 192.168.115.0/24 ZT NETWORK: 192.168.115.0/23

just with different auto-assigned IP address ranges, so that, for example, the ZT container will receive the address 192.168.115.5 on the physical ethernet interface and the address 192.168.115.112 on the ZT interface.

I already did something similar in the past (with a dedicated VM and OpenWRT) but now I would like to replicate the same effects with a docker container.

I can't use routing because the ZT machine/container can't be the default gateway of the physical LAN and many devices on the LAN can't be configured with static routes to a dedicated ZT network. So a ZT bridge will be the perfect solution.

With the previous settings I can't even access the "bridge container" from ZT network with the "bridge container" ZT IP address (tried ping, http of varius docker containers on the same host), whatever version of the image I use.

[zyclonite]

maybe the original PR for bridge mode could help https://github.com/zyclonite/zerotier-docker/pull/6

i do only use routing on my end

[outofsight]

Thanks for reply.

It is possible that the -bridge version is really a routing version too? And that for use this I should setup a ZT network different from my LAN network despite what the guide say?

From discussion about bridge mode I understand I can't use the non-bridge version because of missing iptables. So I would like to try with the -bridge version or whatever is, but even changing the ZT network addresses doesn't work.

[zyclonite]

you were right, the bridge was actually a routing setup it was renamed now, so currently there is no bridge mode yet