This is a quick explanation of how to configure both ZeroTier and two Ubiquiti UniFi USGs to allow routing between two IPv4 networks. Both networks are in private (RFC1918) address space and each one has its own DHCP service. There is no need for NAT between them, only IP routing.
The two networks are 192.168.1.0/24 (call this the "left" network) and 192.168.10.0/24 (the "right" network) but they can be anything. Also, you can have multiple CIDR blocks on one side or the other of the ZeroTier route; if you do, you just have to create more routing table entries.
- Create a ZeroTier network to serve as the connection between the two LANs. Give it a private address space that does not overlap either of the two LANs' RFC1918 spaces. In this example, the ZeroTier network uses
172.25.0.0/16. Note again that this has to be different from the space used by either of the LANs. - Add at least one device from each LAN to the ZeroTier network (install client software, add it as a member, etc.) to act as a gateway between the LAN and ZeroTier. These devices should have static addresses on their respective LANs. Note the ZeroTier IPv4 address that each gets assigned, or manually assign them ones within the address range that you've decided to use for ZeroTier (
172.25.x.xhere). Useifconfigor a similar tool to check that each device has both its regular LAN network interface and also the ZT interface (zt0usually), and that they each have the IPv4 addresses you expect. - Set up the routes within ZeroTier. In the upper-right of the ZeroTier Central web interface, under "Managed Routes", add a route for each of the LANs. The routes you want to add are from each LAN's subnet to the ZeroTier address of the gateway that's on that LAN. So, if the
192.168.1.0/24network has a gateway device with the ZeroTier address172.25.1.1, you would create a route with192.168.1.0/24in the "Network/Bits" field and172.25.1.1in the LAN field. You need to set up at least two routes, one for each LAN at either end.
At this point you have ZeroTier set up, but you still need to put the routes into the LAN devices' routing tables and create appropriate firewall rules. This can be done through the UniFi web interface, and you need to do it on either end. These instructions assume you have a USG at both sites.
- In the UniFi web interface, go to "Settings", then "Routing and Firewall", then "Static Routes".
- On each LAN, create a static route for the other LAN's IP address range, with the "Next Hop" set to the LAN IPv4 address of the ZeroTier gateway. (This is the address that the gateway machine has on the interface that connects to the LAN, not its ZeroTier-defined IPv4 address on the
zt0interface.) E.g.: on the USG for the192.168.1.0/24(left) network, you would need to create a route to192.168.10.0/24(right) address range, with the "Next Hop" set to192.168.1.Xwhere .X is whatever the gateway machine's LAN IP address is. Set the "Hop Distance" to 1. - This is the important part: In addition to these routes, which are pretty standard, you will probably also want to create a route on either end routing to/from the ZeroTier address range. If you don't do this, devices that are directly connected to the ZeroTier network won't be able to talk to LAN devices, which at the very least makes troubleshooting difficult. This route would look like
172.25.0.0/16as the network, with the "Next Hop" set to the same LAN IPv4 gateway machine address as in Step 2 above.
It can take a few minutes for the routes in the UniFi controller to propagate down to the USG, so give it a chance before testing.
iptables setup for lan gateway: sudo nano /etc/sysctl.conf #set net.ipv4.conf.all.rp_filter=2 sudo sysctl -p sudo sysctl net.ipv4.ip_forward sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i z0 -o eth0 -j ACCEPT sudo apt install iptables-persistent sudo netfilter-persistent save sudo iptables-save