jplee

jplee

OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group LAN {
            description "Switch LAN"
            network 192.168.50.0/24
        }
        network-group Upstream {
            description "Upstream Network"
            network 10.1.1.0/24
        }
        network-group ZeroTier {
            description "ZeroTier Network"
            network 10.147.20.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 10.1.1.10/24
        description "Local Upstream"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.50.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
    zerotier ztklh3kllj {
        description ZeroTier
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.1.1 {
                description "Default Gateway"
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.50.0/24 {
                default-router 192.168.50.1
                dns-server 192.168.50.1
                lease 86400
                start 192.168.50.38 {
                    stop 192.168.50.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            name-server 10.1.1.1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description "ZeroTier DNAT"
            destination {
                group {
                    network-group ZeroTier
                }
            }
            inbound-interface ztklh3kllj
            inside-address {
                address 10.1.1.10
            }
            log disable
            protocol all
            type destination
        }
        rule 5000 {
            description "ZeroTier SNAT"
            log disable
            outbound-interface ztklh3kllj
            outside-address {
                address 10.147.20.1
            }
            protocol all
            source {
                group {
                    network-group Upstream
                }
            }
            type source
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}

jplee

@dinge I did that exactly. Can we compare configs? Here's mine:

interfaces {
    ethernet eth0 {
        address 10.1.1.10/24
        description "Local Upstream"
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.50.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            vlan-aware disable
        }
    }
    zerotier ztklh3kllj {
        description ZeroTier
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.1.1 {
                description "Default Gateway"
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.50.0/24 {
                default-router 192.168.50.1
                dns-server 192.168.50.1
                lease 86400
                start 192.168.50.38 {
                    stop 192.168.50.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            name-server 10.1.1.1
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description ZT-NAT
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            log disable
            outbound-interface ztklh3kllj
            protocol all
            source {
                group {
                }
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}

jplee

@dinge Do you have this working? It didn’t work for me. Remember, I’m trying to go from LAN to ZT, not the other way around.

jplee

@Dashrender Setup is outlined several posts above. Here

jplee

@Dashrender I couldn't get the ER-X to route LAN>ZT. NAT, although not ideal, did the trick for me. I'd love to hear if anyone has a no NAT solution.

jplee

I have it working! I needed to NAT.

alt text

I also disabled routing to 192.168.50.0/24 on ZeroTier Central and unchecked "Allow Bridging". They aren't needed.

jplee

@VoIP_n00b I followed https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/. It was pretty straightforward. Make sure you follow Part 2 of the guide as well. Now if I can just get the ER-X to route.

jplee

These are my interfaces:

interfaces

And these are my routes:

routes

On the 192.168.50.0/24 (Lan1) network, I can successfully hit 10.1.1.0/24 (Lan2) addresses and go out on the internet. However, I can't get to any 10.147.20.0/24 nodes (ZT).

If I ssh into the router, I can ping anything on Lan1, Lan2, and ZT. This seems like it would be an easy solution that I'm missing???

Thanks.

jplee

@VoIP_n00b Yes, I have "Allow Bridging" checked. I'm still getting ping time outs from my lan.

jplee

Did anyone get bridging to work? I have ZT installed on an ER-X. I can ping the ZT nodes from the ER-X cli. However, I cannot ping a ZT node from a machine on my internal network that’s not on ZT.

jplee

@jplee

Latest posts made by jplee