ZeroTier Network Join: Complete Configuration Guide

ZeroTier Network Join: Complete Configuration Guide

RouterOS Version

Primary Version: 7.16 | Minimum: 7.1rc2 | Difficulty: Intermediate | Time: 30 minutes

TL;dr (quick start)

For the impatient: here’s the 30-second version.

# Enable ZeroTier and join a network (then authorize in controller)
/zerotier enable zt1
/zerotier interface add network=YOUR_NETWORK_ID instance=zt1 name=zerotier1
# After authorization, verify status
/zerotier interface print

Overview

ZeroTier creates secure, encrypted virtual networks that span the globe, allowing devices to communicate as if they were on the same local network. Unlike traditional VPNs that require complex server infrastructure, ZeroTier uses a peer-to-peer architecture with automatic NAT traversal, making it ideal for connecting remote sites, IoT devices, and mobile users without exposing services to the public internet.

This guide covers joining a MikroTik RouterOS device to an existing ZeroTier network, understanding the underlying concepts, and troubleshooting common connectivity issues.

Understanding ZeroTier Architecture

The Network Hypervisor Concept

ZeroTier implements what they call a “network hypervisor” - a virtualization layer that creates Ethernet-like networks over the internet:

Key Components

Planet Servers: Global root servers that help nodes discover each other and facilitate initial connections. These are operated by ZeroTier Inc.

Network Controller: Manages network membership, assigns IP addresses, and distributes configuration. Can be ZeroTier’s cloud service or self-hosted.

Virtual Network Interface: On RouterOS, this appears as zerotier1 (or similar) - a virtual Ethernet interface that handles encrypted packet encapsulation.

Node Identity: Each ZeroTier instance has a unique 40-bit address (like 879c0b5265) that serves as its cryptographic identity.

Network Types

Public Networks: Anyone can join (rarely used in production) Private Networks: Require authorization from the network controller (recommended)

Prerequisites

• RouterOS 7.1rc2 or later
• ARM or ARM64 architecture device (x86 not supported)
• ZeroTier package installed
• Internet connectivity on UDP port 9993
• Access to ZeroTier network controller (my.zerotier.com or self-hosted)
• Network ID of the ZeroTier network to join

Understanding ZeroTier Networking

IP Address Assignment

ZeroTier networks can assign IP addresses in several ways:

1. Managed Assignment: Controller assigns from a pool (most common)
2. Manual Assignment: Administrator manually assigns specific IPs
3. IPv6 Auto-assignment: RFC4193 or 6plane modes for IPv6

NAT Traversal and Connectivity

ZeroTier uses sophisticated NAT traversal techniques:

Direct Connection: When possible, nodes connect directly using UDP hole punching Relayed Connection: If direct connection fails, traffic routes through planet servers Local Network Discovery: Nodes on the same LAN can discover each other directly

Configuration Steps

Step 1: Install ZeroTier Package

Download and install the ZeroTier package (if not already installed):

/system package print where name=zerotier

If not present, download from MikroTik’s extra packages and reboot after installation.

Step 2: Enable ZeroTier Instance

Enable the default ZeroTier instance:

/zerotier enable zt1

Step 3: Join Network

Join your ZeroTier network using the 16-character network ID:

/zerotier interface add network=1d71939404912b40 instance=zt1 name=zerotier-main

Step 4: Configure Firewall Rules

Allow ZeroTier traffic through the firewall:

/ip firewall filter add action=accept chain=input in-interface=zerotier-main place-before=0 comment="Allow ZeroTier management"
/ip firewall filter add action=accept chain=forward in-interface=zerotier-main place-before=0 comment="Allow ZeroTier forwarding"

Verification

Check that the ZeroTier interface is created and attempting to connect:

/zerotier interface print

Expected Output:

Flags: R - RUNNING
#   NAME           MAC-ADDRESS        NETWORK           NETWORK-NAME     STATUS
0 R zerotier-main  42:AC:0D:0F:C6:F6  1d71939404912b40  modest_metcalfe  ACCESS_DENIED

Verify the interface receives an IP address after authorization:

/ip address print where interface=zerotier-main

Expected Output (after authorization):

Flags: D - DYNAMIC
#   ADDRESS             NETWORK        INTERFACE
0 D 192.168.192.105/24  192.168.192.0  zerotier-main

Network Authorization Process

For Private Networks

If the network is private (recommended), you must authorize the device:

1. Check Node Address:

/zerotier print

Note the identity (first 10 characters, e.g., 879c0b5265)

2. Authorize via Controller:

   • Log into my.zerotier.com (or your controller)
   • Navigate to your network
   • Find the new node in the members list
   • Check the “Authorized” checkbox
   • Optionally assign a specific IP address

3. Verify Authorization:

/zerotier interface print

Status should change from ACCESS_DENIED to OK

Understanding Member Status

ACCESS_DENIED: Node is not authorized (private networks only) OK: Node is authorized and connected NOT_FOUND: Network ID doesn’t exist or node can’t reach controller PORT_ERROR: Local port conflict (rare) CLIENT_TOO_OLD: ZeroTier version incompatible

Advanced Configuration

Allowing LAN Access Through ZeroTier

To allow ZeroTier clients to access your local LAN:

1. Add route in ZeroTier controller pointing your LAN subnet to this router’s ZeroTier IP
2. Configure source NAT (if needed):

/ip firewall nat add chain=srcnat out-interface=ether2 src-address=192.168.192.0/24 action=masquerade comment="ZeroTier to LAN access"

Multiple Network Membership

Join multiple ZeroTier networks:

/zerotier interface add network=8056c2e21c000001 instance=zt1 name=zerotier-work
/zerotier interface add network=a09acf0233000002 instance=zt1 name=zerotier-home

Each network gets its own virtual interface and IP address space.

Custom Instance Configuration

Create additional ZeroTier instances for isolation:

/zerotier add name=zt-isolated port=9994
/zerotier enable zt-isolated
/zerotier interface add network=your-network-id instance=zt-isolated

Troubleshooting

Problem: Status shows “ACCESS_DENIED”

Cause: Network is private and node isn’t authorized Solution:

1. Verify network ID is correct
2. Check authorization in network controller
3. Wait up to 60 seconds for status to update

Problem: Status shows “NOT_FOUND”

Cause: Network doesn’t exist or connectivity issues Solution:

1. Verify network ID (case-sensitive, exactly 16 characters)
2. Check internet connectivity: /ping 8.8.8.8
3. Verify UDP port 9993 isn’t blocked

Problem: Can’t ping other ZeroTier nodes

Cause: Firewall blocking traffic or routing issues Solution:

1. Check firewall rules allow ZeroTier interface
2. Verify both nodes are authorized on the network
3. Test with: /ping [remote-zerotier-ip] interface=zerotier-main

Problem: High latency or packet loss

Cause: Connection is being relayed through planet servers Solution:

1. Check if direct connection is possible: /zerotier peer print
2. Look for “RELAY” in path - indicates relayed connection
3. Consider network configuration (symmetric NAT, firewall rules)
4. Enable UPnP/NAT-PMP on router if possible

Problem: ZeroTier interface doesn’t get IP address

Cause: Network controller not assigning managed IPs Solution:

1. Check network settings in controller
2. Verify “Auto-Assign from Pool” is enabled
3. Manually assign IP in controller if needed
4. Check if IP pool is exhausted

Useful Debug Commands

# Check ZeroTier instance status
/zerotier print detail

# View peer connections and paths
/zerotier peer print

# Monitor interface statistics
/interface monitor zerotier-main

# Check routing table for ZeroTier routes
/ip route print where gateway~"zerotier"

# View ZeroTier-specific firewall hits
/ip firewall filter print stats where comment~"ZeroTier"

Security Considerations

Network Isolation

ZeroTier interfaces should be treated like any other network interface:

# Restrict ZeroTier access to specific services
/ip firewall filter add chain=input in-interface=zerotier-main protocol=tcp dst-port=22 action=accept comment="SSH from ZeroTier"
/ip firewall filter add chain=input in-interface=zerotier-main protocol=tcp dst-port=80 action=accept comment="HTTP from ZeroTier"
/ip firewall filter add chain=input in-interface=zerotier-main action=drop comment="Block other ZeroTier access"

Private Network Best Practices

1. Always use private networks for production
2. Regularly audit network members and remove unused devices
3. Use descriptive member names in the controller
4. Consider network segmentation for different device types
5. Monitor connection logs for suspicious activity

Firewall Integration

ZeroTier traffic appears as regular network traffic once decrypted:

# Allow specific ZeroTier subnets only
/ip firewall address-list add list=zerotier-allowed address=192.168.192.0/24
/ip firewall filter add chain=forward src-address-list=zerotier-allowed action=accept

Common Use Cases

Remote Site Connection

Connect branch offices without complex VPN setup:

• Each site joins the same ZeroTier network
• Configure routing to allow inter-site communication
• Use ZeroTier for management traffic, local internet for user traffic

IoT Device Management

Securely manage IoT devices across multiple locations:

• Devices join ZeroTier network for management
• No need to expose SSH/HTTP to internet
• Centralized monitoring and configuration

Mobile Worker Access

Provide secure access to company resources:

• Mobile devices join company ZeroTier network
• Access internal services without traditional VPN complexity
• Works seamlessly across different internet connections

Performance Optimization

Connection Quality

Monitor connection paths to optimize performance:

/zerotier peer print

Look for:

• “active,preferred” indicates good direct connection
• “RELAY” indicates suboptimal relayed connection
• Latency values for connection quality assessment

MTU Considerations

ZeroTier adds encryption overhead. Default MTU is 2800 but may need adjustment:

/interface set zerotier-main mtu=1400

Test with different MTU sizes if experiencing fragmentation issues.

Related Topics

VPN Alternatives

• WireGuard VPN - modern peer-to-peer VPN
• WireGuard Site-to-Site - RouterOS native WireGuard
• IPsec IKEv2 - enterprise VPN standard
• L2TP VPN Server - legacy VPN option

Prerequisites

• Package Installation - install ZeroTier package
• Firewall Basics - allow ZeroTier traffic

Network Configuration

• Static Routes - routing through ZeroTier network
• NAT - masquerade for LAN access
• Bridge Configuration - Layer 2 ZeroTier integration

Security

• IP Services - management access restrictions
• Firewall Address Lists - ZeroTier subnet control

References

• Official ZeroTier Documentation
• MikroTik ZeroTier Package Documentation
• ZeroTier Guides
• ZeroTier Central Platform