Zerotier OPNSense interface binding #239
Comments
obrienmd
changed the title
|
FWIW, there is a new "lock interface" feature since 17.7.1 as well, maybe that's already enough. It's untested with zerotier, so "don't do this at home" (yet). |
|
Will investigate! :-) -=david=- |
|
Another note, it seems when I bind ZT to an interface in OPNSense and enable DHCP for IPv4 (wasn't sure what auto-assign in ZT uses), a few things happened:
|
|
Let me know how I can help! I'm a fairly experienced linux sysad, and semi-know my way around nets. |
|
+1, lost my gateway as well when trying out Zerotier with DHCPv4 as IP scheme. |
|
Hi, Thank you for the feedback. I hope to look into this over the course of this weekend. :-) -=david=- |
|
@StrikerTwo can you clarify please - are you attempting to use DHCPv4 on the Zerotier interface within OPNsense, or have you defined the auto-assigned IP address range in my.zerotier.com? Thank you. |
|
@dharrigan to speak for myself, I set that on the ZT interface in OPNSense, but also set auto-assigned IPs in my.zerotier.com (thinking ZT central would use DHCP as a protocol for ipv4, but that's probably naive). |
|
@dharrigan I tried to use DHCPv4 on the Zerotier interface. My gateway was gone immediately, so I don't think it even had time to connect to Zerotier and get an IP. |
|
Hi, I've been doing some investigation. More to do, but this works for me: I created a new network on zerotier WITHOUT enabling autoassign of IP addresses (I believe it's best, otherwise OPNsense will get confused when it brings up/down interfaces - more investigation required). In effect, you are saying that you will assign the IP addresses to each node, either statically or via DHCP. I can confirm that if you do that, then you can enable DHCP on the zerotier interface (after assignment) within OPNsense then other nodes joining the network will be issued DHCP addresses from the pool you specify. I chose a subnet of 172.30.0.0/16 (others will work too) on my.zerotier.com. I installed the plugin on OPNsense and enabled the service (so that the green play button shows). I then added the network id I created above to the VPN...Zerotier form and enabled the network (from OPNsense's point of view). I checked that the node (running opnsense) showed up on my.zerotier.com and authorized it to connect. On OPNsense, I then when to interface assignments and assigned the new zerotier interface to a new interface (OPT1). I went into OPT1 and gave the interface a static IP address of 172.30.0.10/16. On a completely separate computer in another country I installed zerotier one, joined the network created above, went into my.zerotier.com and authorized the node, then on the node I did:
I confirmed that the zt0 interface was assigned the IP address and that the route for 172.30.0.0/16 was set to go out via zt0. Back on OPNsense, I went into the firewall rules configuration, selected OPT1 and allowed all traffic to pass (don't forget, that as soon as you assign an interface, that interface falls under the same firewall rules as other interfaces, so you have to allow IPV4/6 to flow as suitable for your requirements). I was then able to ping (and ssh) from the remote node to the OPNsense box via 172.0.30.10 and vice-versa, I was able to ssh (and ping) to the remote node of 172.0.30.20 from OPNsense. Further, I removed the IP from the remote node, then after configuring DHCP (with a pool of 172.0.30.100 to 172.0.30.200) on OPNsense on the OPT1 interface, I was able to do So, right now, I have a bi-directional secure VPN network between two different nodes witin the zerotier network, with one of those nodes being OPNsense and allowing me to do all the interface things I would expect. I believe, given this configuration so far, things like Quagga, or any other services that can bind to interfaces would work as expected. I'm still doing some investigation on a few things, but let me know if you can replicate this. I didn't observe my gateway go down. If it goes down, can you provide me some more details please? Hope this helps! -=david=- |
|
I do not doubt that you can get it to work. Still, (maybe naively) selecting DHCPv4 on the Zerotier interface should not leave the system without a working gateway. Maybe the problem is that my WAN address gets assigned via DHCPv4 as well? |
|
Hi,
Thank you for the reply. My WAN interface is assigned via DHCP too
(although I connect my OPNsense router to the modem via PPPoE). In my test
rig, I configured my WAN interface to use DHCP too and I was unable to
reproduce the issue you have observed, but let me do some more testing. Can
you let me know if, by following my previous post, it works for you? If it
still fails, please do let me know what your route table is like (netstat
-nr) and perhaps logging what the system log shows (clog -f
/var/log/system.log) would be helpful too.
In all my previous experiences of Zerotier, it has never replaced the
default gateway (as you should be using a different subnet from your own
LAN network, i.e., if you LAN subnet is 192.168.1.0/24 you should create a
Zerotier network like 192.168.10.0/24 or 172.16.0.0/16 - something like
that - otherwise, yes, Zerotier would assume control of your LAN as the IP
addresses are the same!) Can you confirm your LAN is different from the
network subnet you are using on Zerotier?
Thank you.
Let me know how you get along!
-=david=-
…On 3 September 2017 at 08:46, StrikerTwo ***@***.***> wrote:
I do not doubt that you can get it to work. Still, (maybe naively)
selecting DHCPv4 on the Zerotier interface should not leave the system
without a working gateway.
Maybe the problem is that my WAN address gets assigned via DHCPv4 as well?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#239 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAaEji70qf1IOuiSaUPgiz0KcMRR9nrOks5selk7gaJpZM4PJSB8>
.
--
I prefer encrypted and signed messages.
Fingerprint: 110A F423 3647 54E2 880F ADAD 1C52 85BF B20A 22F9
No trees were harmed in the sending of this message, however, a number of
electrons were inconvenienced.
|
|
Yes, my LAN network (10.0.0.0/8) is quite different from the Zerotier range. But again, I think the problem is that I selected DHCPv4 as IP method on the Zerotier interface. According to your description, you always used static IPs in OPNsense on the Zerotier interface (OPT1 in your post). It would be okay if that didn't work and I had to assign IPs manually. But with the default gateway gone it didn't even connect to Zerotier. And Zerotier should never be the default gateway, anyway. I can do some more testing myself next week to see if I can isolate the problem and/or provide you with logs. |
|
Hi, Thank you. Do let me know how it goes. You can chat to me on freenode (#opnsense) if you want. -=david=- |
|
Okay, I tried again, on a fresh OPNsense VM.
I then assigned the ZT interface to OPT1, activated it and set it to DHCP. And now my box is offline because it expects ZT to provide the default gateway: Although my real gateway is still the default set in the GUI: |
|
Hi, Did you try to set the interface to a static IP as discussed above, rather than DHCP? |
|
Yes, I did. That works. But Are you saying DHCP is generally unsupported with the ZT plugin? Because I could live with that, but it should be documented somewhere. |
|
Hi,
That's great news that it works with a static IP, I'm very happy to hear
that. With regards the other points:
1. I'll do some testing with the auto-assign on the ZT network, although I
do believe you still need your interface IP to be statically assigned.
2. I firmly agree and I'll see if this is a problem that is because of some
assumptions that the zerotier service does, or something that is inherent
within OPNsense.
DHCP does work with the zerotier plugin, as shown above. Once you've
assigned your interface a static IP (and your zerotier network has
auto-assigned turned off) then you can enable the OPNsense DHCP server for
the zerotier interface and any other node joining your network will have IP
addresses handed out to it by the DHCP server. I've got this to work
successfully for me (as shown above). If, on the otherhand you are asking
if auto-assign of IP addresses is unsupported, then as we have discovered
together, it does seem to be problematic - but perhaps it's just a gap in
my understanding that can be fixed with some more investigation.
I'm putting together some documentation for how to do the basic's with the
plugin - just waiting on the appropriate privileges to push this document
up to the OPNsense documentation repo.
I've really appreciated your comments and feedback on the plugin and I do
hope you find it useful and I thank you for your patience whilst it
improves.
If you're happy with this, I'll close the ticket and raise a ticket for
myself to put in some documentation on getting it to work.
-=david=-
…On 4 September 2017 at 12:18, StrikerTwo ***@***.***> wrote:
Yes, I did. That works. But
a) I would like to use the ZT auto-assign method, and
b) the system shouldn't do something I didn't tell it to ;)
Are you saying DHCP is generally unsupported with the ZT plugin? Because I
could live with that, but it should be documented somewhere.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#239 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAaEjsWQVJVDLtaQPwlxxnNBrwJG3s_Uks5se9yFgaJpZM4PJSB8>
.
--
I prefer encrypted and signed messages.
Fingerprint: 110A F423 3647 54E2 880F ADAD 1C52 85BF B20A 22F9
No trees were harmed in the sending of this message, however, a number of
electrons were inconvenienced.
|
|
Thank you for your work and your comments. Are there any drawbacks in running your own DHCP server on the ZT network instead of using the ZT assignment functionality? (Other than it being a SPOF, so it HAS to be online in order for the network to work) Edit: Sure, go ahead and close this one. |
|
Hi, I haven't observed any drawbacks from running DHCP on Zerotier - in fact, they support this model, although there is some discussion on the merits of DHCP on Zerotier (see zerotier/ZeroTierOne#322). However, my view at the moment is that since you trust OPNsense (so to speak) and are configuring DHCP on OPNsense, then handing out IP addresses to hosts on your Zerotier network is okay :) -=david=- |
|
@fichtner Can you close this ticket please and raise a new one to provide Zerotier plugin how-to documentation. Thank you. |
|
Sure, done. :) |
Continuing from opnsense/core#1775.
Per @dharrigan :
My eventual goal is to use BGP or OSPF over a Zerotier "virtual switch" between a bunch of OPNSense routers.
@dharrigan I'm no core team (or even peripheral team) member, but I'm happy to test and debug!
The text was updated successfully, but these errors were encountered: