Zerotier running on Firewalla

Follow

Ciaran Mcguire

• October 21, 2021 13:22

Hi Evereyone,

I use Zerotier and am very happy with it for a number of use cases.  I suspect some of you will know that it is a mix of an SD WAN / VPN solution that emulates a Layer 2 Ethernet over Internet connected devices( https://www.zerotier.com/ ) .

I have installed Zerotier on my Firewalla Gold.  It has installed successfully, and when connected to the Firewalla via SSH I can route to other devices on the Zerotier network.

However, when I try to SSH to Firewalla via the Zerotier network IP the traffic is blocked.

Additionally, I am not able to route traffic to my LAN when connected to Firewalla via the Zerotier network.

I am hoping that someone else has installed Zerotier on Firewalla and could give me some guidance ?  I can provide further details if anyone can help?

 

Ciaran

 

 

 

1

• 

  no zero

  • November 10, 2021 18:12

  No help, but curious if you could accomplish your goals with Tailscale?

  Free and zero config. tailscale.com

  1

  Comment actions Permalink
• 

  Firewalla

  • November 10, 2021 23:35

  How are you installing zerotier or taliscale? docker containers? or raw apt?

  1

  Comment actions Permalink
• 

  Ciaran Mcguire

  • November 13, 2021 12:10

  @nozero,

  Thanks for the comment.  Interestingly I have been playing with Tailscale as well as Zerotier, and had also thought about trying this approach.

  Thanks for the hint.

   

  Ciaran

  2

  Comment actions Permalink
• 

  Ciaran Mcguire

  • November 13, 2021 12:53

  @Firewalla,

  Right now I am just installing directly via atp, once I have it all working I will look to migrate to Docker, but I am not familiar so don't want to confuse myself yet.(I am aware that all my chnages will disappear on Reboot for now).

  I have now managed to resolve the issue of SSH'ing to the Zerotier IP address by modifying the /etc/ssh/sshd_config and adding a further listener(ListenAddress 10.242.215.10) where 10.242.215.10 is my Zerotier address on the Firewalla Purple.
  When I am SSH'ed into the Firewalla SSH console I am also able to reach all Zerotier devices within the Zerotier network.

  Right now I am trying to get ALL LAN / Wireless LAN traffic to route to my Zerotier network via an AWS server defined as an Edge node. On the Zerotier network I have configured the DEFAULT Route as this AWS server. Traffic that is initiated on the Firewalla itself is being routed to the AWS server, but traffic from LAN connected devices is still routing via the WAN connection.

  What I have done is installed Zerotier on the Firewalla Purple

  // Install on Firewalla Purple
  curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \
  if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi

  Then joined my Zerotier network,

  // Joined network
  sudo zerotier-cli join <myZeroTierNetwork>

  I have Approved the Firewalla Purple as an ALLOWED device on my Zerotier network and confirmed the status, then confirmed the status,

  // Get Zerotier Status
  sudo zerotier-cli status

  which gives me this output confirming all is good,

  200 info <zeroTierNodeID> 1.8.2 ONLINE

  I then check my Default route by checking where my traffic is exiting to the Internet using,

  curl ipinfo.io

  which confirms that my Internet Source is in Germany which is correct.

  So my routing tables are as below,

  pi@Firewalla:~ (Firewalla Purple) $ ip route
  default via 192.168.178.1 dev wlan0 metric 1
  1.0.0.1 via 192.168.178.1 dev wlan0 metric 1
  1.1.1.1 via 192.168.178.1 dev wlan0 metric 1
  10.242.215.0/28 dev <myZeroTierNetworkInterface> proto kernel scope link src 10.242.215.10
  192.168.3.0/28 dev br1 proto kernel scope link src 192.168.3.1
  192.168.4.0/29 dev br0 proto kernel scope link src 192.168.4.1 linkdown
  192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.10
  pi@Firewalla:~ (Firewalla Purple) $

  Then I set the Zerotier network to be set as the DEFAULT route on the Firewalla, this results in my Routing tables being updated as below,

  // Set default route
  sudo zerotier-cli set <myZeroTierNetwork> allowDefault=1

  If I then recheck my Internet source,

  curl ipinfo.io

  I am now exiting via my AWS server with a UK Source IP. So all is good.
  The route tables have been updated as shown here, where you can see there is now a Default Route entry 0.0.0.0/1 for my Zerotier address of my AWS Edge server.

  pi@Firewalla:~ (Firewalla Purple) $ ip route
  0.0.0.0/1 via 10.242.215.6 dev <myZeroTierNetworkInterface> proto static
  default via 192.168.178.1 dev wlan0 metric 1
  1.0.0.1 via 192.168.178.1 dev wlan0 metric 1
  1.1.1.1 via 192.168.178.1 dev wlan0 metric 1
  10.242.215.0/28 dev <myZeroTierNetworkInterface> proto kernel scope link src 10.242.215.10
  128.0.0.0/1 via 10.242.215.6 dev ztqu3m6usu proto static
  192.168.3.0/28 dev br1 proto kernel scope link src 192.168.3.1
  192.168.4.0/29 dev br0 proto kernel scope link src 192.168.4.1 linkdown
  192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.10
  pi@Firewalla:~ (Firewalla Purple) $

  
  The problem I have though is when I connect to the Firewalla Purple LAN side wireless and access the Internet the traffic is still routed to the WAN connection in Germany and not via the Zerotier edge server as I would like in the UK.

  
  In principle I am trying to replicate the "Routes" functionality in the Firewalla interface, where I can ADD a new route for,

  MATCHING: Traffic to Internet
  ON: All Devices
  Interface: <myZeroTierNetwork> Interface

  I fully understand why I can't do this via the App interface, but hoping someone can guide me how I can manually update the relevant configs via the SSH Console.

  
  Appreciate any support.

  
  Ciaran

  1

  Comment actions Permalink
• 

  Weiemfow

  • October 20, 2023 14:01

  Any way to implement it an easier way? I mean Tailscale

  1

  Comment actions Permalink

Please sign in to leave a comment.