ZeroTier One bridging

Hi guys,

I’ve tried the ZeroTier addon and I find very usefull to access HA without port forwarding.

But it’s very anoying to loose the local acces from my regular network.

And it could be very nice if we can have an bridge between local lan let say (192.168.10.x) and ZeroTier lan (10.0.10.x)
On this case we can access from work via ZeroTier all the devices (printers, NAS, etc…) on the home local lan.

Someone knows how to do that and can help me with that?

Hi,

I’m interested too. Has anyone worked on this?
I can access my Home Assistant UI from remote via local IP thanks to ZT, but my setup is missing the routing inside hassio permitting access to other devices in the same LAN.

Im also very interested in this, to be able to access my tasmota devices on the network, and pretty much every DIY thing I have made / added to my home over the last 6months… everything has a web interface now

On the zeroteir wiki there is info on how to do this, however its above my pay grade to make these changes in HA without breaking something! and i would rather not have a pi setup just for this… just another thing to maintain
https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks
https://zerotier.atlassian.net/wiki/spaces/SD/pages/193134593/Bridge+your+ZeroTier+and+local+network+with+a+RaspberryPi

1 Like

So trying to figure this out on my own now due to the lack of response, this was done through SSH/Web terminal addon. and assumes you have installed the Zeroteir addon and have authorized home assistant and setup your phone or another device too.

first step of the guide is to
Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward . This enables forwarding at boot.
however when i open the file its pretty much empty and states this will override sysctl.d

doing the following command i can see other forwarding in there so think it must be enabled already (note the capital S)

sudo iptables -S

Next i typed ifconfig look for the main HA ip address and the Zeroteir IP address and customize the following to match. then enter it on the command line

PHY_IFACE=enp0s3; ZT_IFACE=ztly5wnjgg

then cut and paste the below into terminal

sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

Next i logged into ZeroTeir and added the managed route
destination i set to my home network range 192.168.1.0/24
via I set to the IP of the Home assistant Zeroteir IP

this worked a treat and i can now access my devices on the home network from my phone when not at home!!!

the last step to save the rules

sudo bash -c iptables-save > /etc/iptables/rules.v4

i havent tested if it persists across boots…

3 Likes

Across core boots, it does

Hi Chris,

Really appreciate your walk through and been working well as long as I don’t update HA OS. However, during the last update, i noticed that your walk through is no longer working. Before this update, should there be any updates on the HA OS all i needed to do is to re-apply your walk through and all be working again.

After i compare before and after updates i realized that the default iptables on previous (working) OS is totally different, as in the new version of the OS has completely zero rules on the iptables. Hence after i tried to apply your walk through, it’s no longer working.

I’m not familiar with linux whatsoever and it’s kinda frustating to solve this myself. Perhaps you could help me with another walk through?

Best Regards,

Rudolph.

I found this out yesterday too… I had noticed the changes in the latest update and had a feeling it may happen. basically in HAOS9.4 they changed to NF-Tables.

Ive been reading the documentation and cant figure it out just yet… will keep you in the loop with my progress

Hi Chris,

Thank you so much. Looking forward to it!

Many Thanks,

Rudolph.

Hi Chris,
Also just found this issue! remote access not working now, and had been running very well for months… Please also let me know if you find an equivalent way to do this using NF tables. Happy to help with testing. I will also play around a little in the meantime…

Hi, so I found out after a bit of digging in release notes that HAOS 9.4 is using iptables as a front end and nftables as the backend! so all thats needed is in the commands above, replace the command ‘iptables’ with ‘iptables-nft’ and it works fine, routing works again.

Not so sure about the save command, and reboots etc. There is an ‘iptables-nft-save’ equivalent commnand, but i am not sure piping its output to /etc/iptables/rules.v4 is the correct thing to do in this case… open to suggestions :slight_smile:

Thanks for that, im only just getting back to looking at this now… crazy christmas season and all…

Confirmed this worked for my use case too, for the ease of cut and paste this is the change below.

// Check current status
sudo iptables-nft -S

// Set interfaces
PHY_IFACE=enp0s3; ZT_IFACE=ztly5wnjgg

//add them to the tables
sudo iptables-nft -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables-nft -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables-nft -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

// Check status
sudo iptables-nft -S

Im not sure if it is as fast as the old tables or if something else has changed, I cant stream my cameras at the full bitrate anymore… it could just be there is more people clogging up the 4g at the moment, even yt is slow

1 Like

Hey Chris,

How do you activate the port forwarding at boot ?
How do you change the “-P FORWARD DROP” to -P FORWARD ACCEPT" in the iptables-nft ?

I would have tought that etc/nftables.conf would have been present but it is not.

I am trying to figure out how to edit this but can’t find the answer (see the results of “sudo iptables-nft -S” below, does it seems Ok ?

thanks

Another update another change… any ideas this time??

So sorry, I did not see this post… I only went looking for this thread when I discovered my own systems had stopped routing via ZT… I have managed a fix, but am still checking it out for stability, etc… In the addon I use to execute shell commands, “Advanced SSH & Web Terminal”, it allows you to enter additional package names to be loaded when the addon starts, on its ‘configuration’ page, so I added ‘iptables’ to the configuration, saved it, restarted the addon, and now routing works again… just change the commands back to use iptables and not iptables-nft…

I actually gave up on ZT, i couldn’t figure it out and gave tailscale a go and so far its been very reliable and just works without any configuration.

Thanks for the info though, hopefully someone will find it helpful, and it would be nice to have a backup plan