ZeroTier 1.1





  • Specifically: https://www.zerotier.com/blog/?p=560

    • Circuit Testing
    • NDP Emulation and Multicast-Free IPv6 Networks
    • Clustering and Multi-Homing


  • I'm starting to have major DNS issues with one of file servers having a ZT adapter and it registering with DNS.. .often times my internal non ZT clients can't find the file server because DNS gives them the ZT address.



  • Why not put ZT on everything?



  • You coud always install it on everything as @scottalanmiller suggested... but that might be a lot of work, lol.

    However, I found a workaround for this...

    On the File Server, edit the IPv4 Properties on the NIC, and you will see that everything is set for manual ip and blank... Change them to DHCP and apply. Then go into the IP properties again and uncheck the register dns checkbox, and OK your way out of it.

    Then just delete the ZT IP address from DNS.

    That does introduce a new problem if you are using that same DNS on the ZT Network...I worked around that by setting up a small Linux Server with dnsmasq... You just add the IP address & host names into the /etc/hosts file and done.

    (You can configure the ZT Nic to use DHCP (even if the IPs are managed by ZT), and specify the IP address of your dnsmasq (or any other dns server you want) in the IP properties..
    0_1447991372726_upload-5cfc1159-cf2b-4d6c-91dc-a1e2be48eb4f

    Is how my laptop is set up.


  • Banned

    The question is why is a centeralized company with some remote users are you using ZeroTeir? These things are great for fully mesh VPNs of clients across then country. But, if you already have a centralized site, fully mesh site to site network, or a hub and spoke site to site network then just using a VPN concentrator or router would make more sense.



  • I don't understand why this tech needs to be an all or nothing type approach. That's the main reason.

    @dafyre, once you set the adapter to DHCP you can't uncheck the Register DNS checkbox.



  • @Dashrender said:

    I don't understand why this tech needs to be an all or nothing type approach. That's the main reason.

    Because that is the design. You are using a mesh networking technology and trying to use it as something other than a mesh. Do you have to use it that way? Of course not, but that is its design and purpose. So if you want to use it as if it were OpenVPN, for example, you are going to have to deal with the fact that you are shoehorning and not using as designed.



  • @scottalanmiller said:

    @Dashrender said:

    I don't understand why this tech needs to be an all or nothing type approach. That's the main reason.

    Because that is the design. You are using a mesh networking technology and trying to use it as something other than a mesh. Do you have to use it that way? Of course not, but that is its design and purpose. So if you want to use it as if it were OpenVPN, for example, you are going to have to deal with the fact that you are shoehorning and not using as designed.

    I have sense ZT's original introduction here at ML learned just that. Because you posted that before. I've never used OpenVPN before, only Cisco and SonicWall VPN clients. The Cisco and SonicWall clients suck because you have to start and stop them... I really like the always on nature of ZT.

    At least my need for ZT is almost over and I'll be shutting it down. But I still might consider it going forward for the entire office.


  • Banned

    @Dashrender said:

    I have sense ZT's original introduction here at ML learned just that. Because you posted that before. I've never used OpenVPN before, only Cisco and SonicWall VPN clients. The Cisco and SonicWall clients suck because you have to start and stop them... I really like the always on nature of ZT.

    Is it that hard for your users to connect a vpn client? We don't have users with issues with that and we have plenty of not so smart users.



  • @Dashrender said:

    I have sense ZT's original introduction here at ML learned just that. Because you posted that before. I've never used OpenVPN before, only Cisco and SonicWall VPN clients. The Cisco and SonicWall clients suck because you have to start and stop them... I really like the always on nature of ZT.

    Well Cisco and SonicWall are pretty crappy in general. OpenVPN is always on, it is what we used before moving to Pertino. We were building our own full mesh which was a huge pain. For us full mesh is what we always needed, it's perfect. But if you want a hub and spoke, OpenVPN is the ticket. Works exactly as you want, does just what you need.



  • @Jason said:

    Is it that hard for your users to connect a vpn client? We don't have users with issues with that and we have plenty of not so smart users.

    I've definitely encountered users that don't understand the "you have to plug it in first" concept.

    Always on is always nice as AD works transparently.



  • @Jason said:

    @Dashrender said:

    I have sense ZT's original introduction here at ML learned just that. Because you posted that before. I've never used OpenVPN before, only Cisco and SonicWall VPN clients. The Cisco and SonicWall clients suck because you have to start and stop them... I really like the always on nature of ZT.

    Is it that hard for your users to connect a vpn client? We don't have users with issues with that and we have plenty of not so smart users.

    In this particular situation, no, I'm not really having any issues with traditional VPN, but where possible removing places where users can make mistakes is always nice.

    On the flip side though, a full mesh network does expose your network to greater risk of things like CryptoLocker, but if you're following Scott's suggestion and not using open file shares, that risk is mostly mitigated.

    For me, Once this temporary user's project is done my boss will be the only one really using VPN, and even she barely uses it anymore.

    I use other tools (mainly LogMeIn).



  • Yes, fears like Cryptolocker and moves to more modern file sharing methods have led us to begin phasing out VPNs too. Now that VPNs are not needed for AD, we have no need for it anymore.



  • @scottalanmiller said:

    Yes, fears like Cryptolocker and moves to more modern file sharing methods have led us to begin phasing out VPNs too. Now that VPNs are not needed for AD, we have no need for it anymore.

    Not needed because of Azure AD?
    Do you guys even have any hosted Windows servers? If so, do you have an hosted AD for them that syncs to Azure AD?



  • @Dashrender said:

    Not needed because of Azure AD?
    Do you guys even have any hosted Windows servers? If so, do you have an hosted AD for them that syncs to Azure AD?

    The only Windows hosts that we have are the AD servers and the DirSync server. Our entire Windows infrastructure in production is for AD.



  • @scottalanmiller said:

    @Dashrender said:

    Not needed because of Azure AD?
    Do you guys even have any hosted Windows servers? If so, do you have an hosted AD for them that syncs to Azure AD?

    The only Windows hosts that we have are the AD servers and the DirSync server. Our entire Windows infrastructure in production is for AD.

    Assuming you've upgraded your fleet of end points to Windows 10, why do you still have those?



  • @Dashrender said:

    Assuming you've upgraded your fleet of end points to Windows 10, why do you still have those?

    AD controls Office 365.



  • @scottalanmiller said:

    @Dashrender said:

    Assuming you've upgraded your fleet of end points to Windows 10, why do you still have those?

    AD controls Office 365.

    Can't Azure AD?



  • If the NIC already has ZT ip, it works fine... this is my home desktop with ZT and register dns unchecked.
    0_1448034385557_uncheckregisterdns.png



  • @dafyre But are you using DHCP to assign the ZT IP address or are you using a manually assigned one?



  • I am letting ZT assign the IP addresses.


Log in to reply