Routing from/To a LAN / Zerotier VPN

lolo1475 · January 12, 2025, 1:04am

Hi,

I have 3 sites (A, B, C) that contain the same local IP classes 192.168.1.0/24 Each site contains a teltoniqua with functional zerotier (Site A 10.147.17.21 - Site B 10.147.17.22 - Site C 10.147.17.23)

I want to create a different virtual class for each site. (Site A 192.168.21.0/24 - Site B 192.168.22.0/24 - Site C 192.168.23.0/24)

From the Windows PC, I want to be able to access each terminal equipment for each site, using the virtual classes. For example, to access 192.168.1.102 of site A, we use the virtual class 192.168.21.101. OR for site C 192.168.23.101 To do this I created routes on the zerotier application. See below.

I declared the routes in Teltonika with the route add command by the CLI, like this:

ip route add 192.168.21.0/24 via 192.168.1.1 dev br-lan
or
ip route add 192.168.21.0/24 via 10.147.17.21 dev ztly54hblu (intervace zerotier)
or
ip route add 192.168.21.0/24 dev br-lan

But nothing works when I ping.
So I don’t know how to do it ?
I hope I was clear.

Thanks for your help

Sigismundus · January 14, 2025, 1:06pm

Hello,

How do you perform network address translation on your routers to map between 192.168.2x.0/24 ↔ 192.168.1.0/24?

Could you try adding the following couple of lines in the router’s Network → Firewall → Custom rules page:

Site A:
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 10.147.17.0/24 -j NETMAP --to 192.168.21.0/24
- iptables -t nat -I PREROUTING -s 10.147.17.0/24 -j NETMAP --to 192.168.1.0/24
Site B
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 10.147.17.0/24 -j NETMAP --to 192.168.22.0/24
- iptables -t nat -I PREROUTING -s 10.147.17.0/24 -j NETMAP --to 192.168.1.0/24
Site C
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 10.147.17.0/24 -j NETMAP --to 192.168.23.0/24
- iptables -t nat -I PREROUTING -s 10.147.17.0/24 -j NETMAP --to 192.168.1.0/24

For example (the rules slightly differ to match the configuration of my testing environment):

This is somewhat based on the solution in this article: Overlapping subnets with IPsec solution - Teltonika Networks Wiki

You will still need to keep these routes in the ZeroTier network management panel:

With these, I was able to replicate your scenario (with 2 RUTs for simpler testing) and was able to reach devices behind both RUTs from an android phone (that would be Windows PC in your case) connected to the same ZeroTier network.

Best regards,

lolo1475 · January 20, 2025, 8:01pm

Thank you very much for your answer
It works great

lolo1475 · January 20, 2025, 10:06pm

I have another site that works with class 16. 192.168.0.0/16 with virtual class 192.169.0.0/16
Here is the representation of the infrastructure below.

I have 3 floors (1, 2, 3) that contain the same local IP classes 192.168.0.0/16
For all floors there is only one Teltoniqua with zerotier functional (10.147.1.1/16)

I want to create a virtual class /16 that works for all floors. (Floor No. 1 192.169.1.0/16 – Floor No. 2 192.169.2.0/16 – Floor No. 3 192.169.3.0/16)

From the Windows PC, I want to be able to access each terminal equipment for each floor, using only one virtual class 192.169.0.0/16. For example, to access 192.168.1.1 of floor No. 1, we use the virtual class 192.169.1.1. OR for floor No. 3 192.169.3.1

To do this I created a route on the zerotier application. But there is a warning message. See below.

No Private IP space. Client will need to set Allow Global

I put the following routes in the teltonika:

iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -d 10.147.0.0/16 -j NETMAP --to 192.169.0.0/16
iptables -t nat -I PREROUTING -s 10.147.0.0/16 -j NETMAP --to 192.168.0.0/16

my problem is that i can’t even access my own router in http.
And i have ping responses on several IP ranges while there is nothing connected!

I hope I was clear.

Thanks for your help

TeWe · January 20, 2025, 10:28pm

You never use 192.169 as this is outside private IP address range (RFC1918):

What is an RFC1918 Address?

You can use 192.168.0.0/24 or 192.168.1.0/24 or 192.168.2.0/24 and so on

lolo1475 · January 20, 2025, 11:31pm

so I can use the virtual class 10.1.0.0/16 and do an address translation to 192.168.0.0/16?

TeWe · January 21, 2025, 12:31am

Sure you can, it’s called ‘routing’.
Just don’t over-complicate things.
Give every site a unique subnet and you shall be fine.

lolo1475 · January 21, 2025, 12:46am

It now works in 10.1.0.0/16 and not 192.169.0.0/16
Thanks for your information.
For information with 10.1.0.0/16 there is no longer the zerotier message “No Private IP space. Client will need to set Allow Global”

Everything is routed.
Thanks to all.

TeWe · January 21, 2025, 5:48am

Thanks for your feedback and happy it works now.

“No private IP space” refers to 192.169. as this is out of RFC1918 an hence a ‘global’ address.
10.x.x.x is perfectly fine.

system · January 23, 2025, 5:48pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.