I could ask for a diagram ![;)]( "Wink")
So let's assume you ZT – correct if wrong:
- You using my.zerotier.com as ZT controller (i.e. not running a local controller under /zerotier/controller on the Mikrotik)
- Nothing in ZT is bridged, specifically:
- no "member" (aka peer) has "bridging" check in the controller
- ZT interface on RouterOS is a "standalone" interface, not a bridge port
- Each ZT network has its own IP subnet too. Here we'll call say it's 172.22.22.0/24 (but it be whatever the my.zerotier.com network had set)
- Mikrotik has ZT address 172.22.22.88
- "Boat" has ZT address 172.22.22.55
And, the problem is you want 192.168.88.0/24 to always be routable, whether "Boat" is connected to LTE, or is docked near Mikrotik's Wi-Fi. Similar in reverse.
Keep in mind ZeroTier still work find even if you connected to the Wi-Fi on the boat. ZeroTier should use a local tunnel over Wi-Fi and just work. By design, it should use a more direct path, which be Wi-Fi to establish the tunnel (still be tunneled however).
But to cover the case when boat ZT goes down but it's docked on Mikrotik Wi-Fi... You still wanted routing between the networks, then it look something like this:
1. The ZT network need to have these routes defined at my.zerotier.com. There is a routing section where you can add routes there. You'd need two defined on the ZT cloud-side:
192.168.88.0/24 via 172.22.22.88
192.168.55.0/24 via. 172.22.22.55
2. On Mikrotik, Change ZeroTier "route distance", i.e. /zerotier/set zt1 route-distance=9
3. On Mikrotik, assign a DHCP reservation for the boat, so you know the 192.168.88.0/24 address it get (or assign it statically on boat side for the Mikrotik SSID). Let's say it 192.168.88.55 (note: it is helpful if the ZT IP address (172.22.22.x) aligns with x in 192.168.x.1 subnet used as LAN)
4. Add a route with "check-gateway" for when boat when on Wi-Fi, i.e. /ip/route dst-address=192.168.55.0/24 gateway=192.168.88.55 distance=1 check-gateway=ping
5. If Mikrotik was in a default config, single LAN, then easiest is just add the "zerotier1" interface to the "LAN" interface list. But with custom firewall, you'd likely need to allow the desired 192.168.55.0/24 traffic. You would not want to use some interface matcher, since the 192.168.55.0 could come via ZT or Wi-Fi in this example. But it follow what ever firewall scheme used for VLANs/etc otherwise.
6. On the remote router, to enable ZT-less operation, you should need to do anything since Mikrotik is already the gateway (i.e. no static route needed).
So let's assume you ZT – correct if wrong:
- You using my.zerotier.com as ZT controller (i.e. not running a local controller under /zerotier/controller on the Mikrotik)
- Nothing in ZT is bridged, specifically:
- no "member" (aka peer) has "bridging" check in the controller
- ZT interface on RouterOS is a "standalone" interface, not a bridge port
- Each ZT network has its own IP subnet too. Here we'll call say it's 172.22.22.0/24 (but it be whatever the my.zerotier.com network had set)
- Mikrotik has ZT address 172.22.22.88
- "Boat" has ZT address 172.22.22.55
And, the problem is you want 192.168.88.0/24 to always be routable, whether "Boat" is connected to LTE, or is docked near Mikrotik's Wi-Fi. Similar in reverse.
Keep in mind ZeroTier still work find even if you connected to the Wi-Fi on the boat. ZeroTier should use a local tunnel over Wi-Fi and just work. By design, it should use a more direct path, which be Wi-Fi to establish the tunnel (still be tunneled however).
But to cover the case when boat ZT goes down but it's docked on Mikrotik Wi-Fi... You still wanted routing between the networks, then it look something like this:
1. The ZT network need to have these routes defined at my.zerotier.com. There is a routing section where you can add routes there. You'd need two defined on the ZT cloud-side:
192.168.88.0/24 via 172.22.22.88
192.168.55.0/24 via. 172.22.22.55
2. On Mikrotik, Change ZeroTier "route distance", i.e. /zerotier/set zt1 route-distance=9
3. On Mikrotik, assign a DHCP reservation for the boat, so you know the 192.168.88.0/24 address it get (or assign it statically on boat side for the Mikrotik SSID). Let's say it 192.168.88.55 (note: it is helpful if the ZT IP address (172.22.22.x) aligns with x in 192.168.x.1 subnet used as LAN)
4. Add a route with "check-gateway" for when boat when on Wi-Fi, i.e. /ip/route dst-address=192.168.55.0/24 gateway=192.168.88.55 distance=1 check-gateway=ping
5. If Mikrotik was in a default config, single LAN, then easiest is just add the "zerotier1" interface to the "LAN" interface list. But with custom firewall, you'd likely need to allow the desired 192.168.55.0/24 traffic. You would not want to use some interface matcher, since the 192.168.55.0 could come via ZT or Wi-Fi in this example. But it follow what ever firewall scheme used for VLANs/etc otherwise.
6. On the remote router, to enable ZT-less operation, you should need to do anything since Mikrotik is already the gateway (i.e. no static route needed).
Statistics: Posted by Amm0 — Sat Jun 01, 2024 5:38 pm