OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group LAN {
description "Switch LAN"
network 192.168.50.0/24
}
network-group Upstream {
description "Upstream Network"
network 10.1.1.0/24
}
network-group ZeroTier {
description "ZeroTier Network"
network 10.147.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 10.1.1.10/24
description "Local Upstream"
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.50.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
vlan-aware disable
}
}
zerotier ztklh3kllj {
description ZeroTier
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.1.1.1 {
description "Default Gateway"
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative enable
subnet 192.168.50.0/24 {
default-router 192.168.50.1
dns-server 192.168.50.1
lease 86400
start 192.168.50.38 {
stop 192.168.50.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
name-server 10.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "ZeroTier DNAT"
destination {
group {
network-group ZeroTier
}
}
inbound-interface ztklh3kllj
inside-address {
address 10.1.1.10
}
log disable
protocol all
type destination
}
rule 5000 {
description "ZeroTier SNAT"
log disable
outbound-interface ztklh3kllj
outside-address {
address 10.147.20.1
}
protocol all
source {
group {
network-group Upstream
}
}
type source
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}