Community discussions

MikroTik App
 
danielchagasrs
just joined
Topic Author
Posts: 6
Joined: Tue Dec 14, 2021 11:10 pm
Location: Porto Alegre - Brazil

Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 3:37 am

Hi.
I have a site to site vpn between a Hap AC3 (192.168.2.254/24) and a Mikrotik x86 + zerotier container (192.168.0.200/24 for mikrotik itself and 192.168.0.201 for container's veth added to local bridge).

2 managed routes are created on my.zerotier.com:
192.168.2.0/23 => 192.168.32.254 (hap ac3 zt address)
192.168.0.0/23 => 192.168.32.201 (x86 container)

I can access from 0.x to 2.x, but can't access FROM 2.x to 0.x... Tracert stops at 192.168.32.201, the Zerotier container... Container is blocking from zt->lan, but not lan->zt.
I tried putting the ENV settings (gateway mode = both), but that didn't change nothing...

I had this same scenario, same settings, same addresses and all, working fine with an Openwrt VM and the same Hap Ac3...

Any thoughts??
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3617
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 3:48 am

Couple thoughts:
1. Did you put the VETH in LAN interface list (or address-list if using those)? e.g. firewall blocks !LAN by default
2. The Mikrotik ZT client will inject ZT routers to the router, but using a ZT container won't... So you need a static route on CHR/X86 to the ZT network as Mikrotik routing is not going to know the ZT subnet.

Yes, I'd imagine you'd need "gateway" as both, but I'm not too familiar with the containerized ZT.... Since you use the VETH IP as the static route for any ZT networks. For sure enabling logging in the container, as the logs may have a clue (and/or confirm the ENV are getting picked up correctly)
 
danielchagasrs
just joined
Topic Author
Posts: 6
Joined: Tue Dec 14, 2021 11:10 pm
Location: Porto Alegre - Brazil

Re: Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 2:03 pm

Hi. Veth IP is is the same subnet and in the same local/lan bridge as Mikrotik.
I can access the container's IP from the lan hosts of 192.168.0.x and 192.168.2.X... But the container itself isn't forwarding traffic from ZT to LAN...
External tracert stops on 192.168.0.201 (Veth/container IP address)...
 
danielchagasrs
just joined
Topic Author
Posts: 6
Joined: Tue Dec 14, 2021 11:10 pm
Location: Porto Alegre - Brazil

Re: Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 2:07 pm


So you need a static route on CHR/X86 to the ZT network as Mikrotik routing is not going to know the ZT subnet.

(and/or confirm the ENV are getting picked up correctly)
I have the static routes, since I can access from Lan A (0.X) to 2.X)... But I can't access the other way (2.X to 0.X, or ZT client to 0.X)

How can I check if the ENVs are working? I'm new in container stuff...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3617
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 3:07 pm

As I said, I haven't used the ZT container, so IDK.

So my suggestion was to make sure enabled Logging is checked on the /container for ZT, and the look at "/log print". Alternatively, you might be able to access the shell of the container using /container/print then /container/shell XX where XX is the # of the ZT container shown in print.

The firewall on Mikrotik side seems more probable than something in the container.

Also on the CHR itself do you have a route in /ip/route for 192.168.2.0/23 to 192.168.0.201?
 
danielchagasrs
just joined
Topic Author
Posts: 6
Joined: Tue Dec 14, 2021 11:10 pm
Location: Porto Alegre - Brazil

Re: Zerotier container - can't ping from ZT client to internal lan devices

Fri Apr 19, 2024 7:39 pm

As I said, I haven't used the ZT container, so IDK.

So my suggestion was to make sure enabled Logging is checked on the /container for ZT, and the look at "/log print". Alternatively, you might be able to access the shell of the container using /container/print then /container/shell XX where XX is the # of the ZT container shown in print.

The firewall on Mikrotik side seems more probable than something in the container.

Also on the CHR itself do you have a route in /ip/route for 192.168.2.0/23 to 192.168.0.201?
I'm sure it's not a mikrotik firewall rule. I disabled all rules and that made no difference.
 
ramin110
just joined
Posts: 6
Joined: Sun Oct 09, 2011 8:06 pm

Re: Zerotier container - can't ping from ZT client to internal lan devices

Mon Apr 22, 2024 9:56 am

hi, I have the same problem with accessing another zerotier device.

I can ping the docker zerotier ip but can't ping the another device ip.
You do not have the required permissions to view the files attached to this post.
 
danielchagasrs
just joined
Topic Author
Posts: 6
Joined: Tue Dec 14, 2021 11:10 pm
Location: Porto Alegre - Brazil

Re: Zerotier container - can't ping from ZT client to internal lan devices

Mon Apr 22, 2024 2:54 pm

I gave up and deleted the container... I spent more than 8 hours doing tests with zt container, without success...

Then, I installed zerotier client on the windows host machine, enabled ip forward in regedit, rebooted, and adjusted the static route on the zerotier web console... It took less than 3 minutes, and it's working fine.

Who is online

Users browsing this forum: No registered users and 5 guests