I am using OPNsense to connect to a ZeroTier network. The OPNsense box is able to ping other ZeroTier peers, and other ZeroTier peers can ping the OPNsense box using the OPNsense box's ZeroTier address. Unfortunately, none of the LAN devices behind OPNsense can successfully ping any ZeroTier addresses (other than the OPNsense box's ZeroTier address), and no ZeroTier peers can ping any LAN devices behind the OPNsense box.
I am using the os-zerotier plugin (1.3.2_4) on OPNsense. I have set the managed route in ZeroTier Central for LAN destinations to be the OPNsense's ZeroTier address. The routing tables on OPNsense and ZeroTier peers all show the appropriate routes to reach ZeroTier peers and OPNsense. When I conduct a packet capture on the ZeroTier interface when I attempt to ping from a LAN device to a ZeroTier peer, I see the request ("10.XX.XX.10 > 172.27.XX.227: ICMP echo request, id 14, seq 12, length 64") but no response. When I conduct a packet capture on the ZeroTier interface when I attempt to ping from a ZeroTier peer to a LAN device, I see both the request ("172.27.XX.227 > 10.XX.XX.10: ICMP echo request, id 55631, seq 15, length 64") and the reply ("10.XX.XX.10 > 172.27.XX.227: ICMP echo reply, id 55631, seq 15, length 64"), but the reply never reaches the ZeroTier peer, which shows a "Request timeout". I don't believe that it's a firewall issue, because I allow both incoming and outgoing traffic over the ZeroTier interface between the ZeroTier net and the LAN net.
Does anyone have any suggestions of what I should try to be able to connect my ZeroTier peers and my LAN devices? Thank you!
Did you ever figure this out? I'm having the exact same problem config seems ok, routes correct works fine on normal clients, opnsense can see remote clients from terminal, the firewall is logging egress trafiic but nothing connects on the lan side :(
Sorry for the late reply! Unfortunately, I never did figure this out. If I do figure it out, I will definitely post something, and I hope that if you figure it out, you will share your insights too. Thanks!
Could you ever figure this out? I have the same issue, i can connect from zerotier to my lan, but not other way around.
I am able to ping my ZT peers with an SNAT setup on my Opnsense config.
Firewall --> Automation --> Source NAT
Interface --> ZT Interface
Source --> any
Destination --> any
Translation/Target --> ZT Interface IP
Then define firewalls rules on ZT interface
Quote from: SurrealTech on January 14, 2025, 05:38:54 PMI am able to ping my ZT peers with an SNAT setup on my Opnsense config.
Firewall --> Automation --> Source NAT
Interface --> ZT Interface
Source --> any
Destination --> any
Translation/Target --> ZT Interface IP
Then define firewalls rules on ZT interface
My problem is connecting to LAN peers from ZT using Opnsense