FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
346 views 1 comments
by anonymous
I have installed, and set-up Zerotier on a RUT950 with firmware RUT9_R_00.07.01.2.

The system has created a new zone (zerotier) in the firewall settings and automatically address forwards to "lan". If I edit that zone, there are no entries in the "Covered networks" box and when I attempt to add the "zerotier" netwok/interface to this it's missing so can't be selected.

I'm guessing that for this to work, Zerotier would need to know on the INTERFACES list along with the other (lan, mobs1a1, mobs2a1, wan, wan6) entries?

Should the system be creating an interface for Zerotier?
How can I add the zerotier interface to the firewall zone, it seems at the moment that I can't manage the firewall for zerotier?

Thanks.

1 Answer

0 votes
by anonymous

Hello,

Currently, the firewall zone will work in such a way that any virtual VPN interface (created when connected to any ZT network) starting with the name "zt" will obey the rules of the ZeroTier zone. This can be confirmed by logging in to the router via CLI (SSH/Telnet) after creating any ZeroTier network (and making sure it's connected) and issuing the following command:

ifconfig

If any ZeroTier interface is active and starts with "zt" prefix, then the firewall zone rules will apply for this interface. This is due to the fact that in the /etc/config/firewall file, the following line exists:

config zone

        option name 'zerotier'

        option input 'ACCEPT'

        option forward 'REJECT'

        option device 'zt+'

        option output 'ACCEPT'

Basically, the configuration line in bold tells the router that if there's any interface, virtual or physical, starting with prefix "zt", it should get assigned to the ZeroTier firewall zone and will behave accordingly to the rules which are applied to this zone.

Let me know if this answers your question.

Best regards,

Tomas.

Best answer
by anonymous
Tomas,

Thanks for the explanation, I've done some research on the device option after reading your post and it makes perfect sense now.

It would be great if the GUI was capable of parsing this and showing the "zt+" devices on the zone selection page of the firewall but with the system working, that's just a "nice to have".

Thanks again.