ZeroTier Network Join: Complete Configuration Guide
ZeroTier Network Join: Complete Configuration Guide
Section titled âZeroTier Network Join: Complete Configuration GuideâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: hereâs the 30-second version.
# Enable ZeroTier and join a network (then authorize in controller)/zerotier enable zt1/zerotier interface add network=YOUR_NETWORK_ID instance=zt1 name=zerotier1# After authorization, verify status/zerotier interface printOverview
Section titled âOverviewâZeroTier creates secure, encrypted virtual networks that span the globe, allowing devices to communicate as if they were on the same local network. Unlike traditional VPNs that require complex server infrastructure, ZeroTier uses a peer-to-peer architecture with automatic NAT traversal, making it ideal for connecting remote sites, IoT devices, and mobile users without exposing services to the public internet.
This guide covers joining a MikroTik RouterOS device to an existing ZeroTier network, understanding the underlying concepts, and troubleshooting common connectivity issues.
Understanding ZeroTier Architecture
Section titled âUnderstanding ZeroTier ArchitectureâThe Network Hypervisor Concept
Section titled âThe Network Hypervisor ConceptâZeroTier implements what they call a ânetwork hypervisorâ - a virtualization layer that creates Ethernet-like networks over the internet:
Key Components
Section titled âKey ComponentsâPlanet Servers: Global root servers that help nodes discover each other and facilitate initial connections. These are operated by ZeroTier Inc.
Network Controller: Manages network membership, assigns IP addresses, and distributes configuration. Can be ZeroTierâs cloud service or self-hosted.
Virtual Network Interface: On RouterOS, this appears as zerotier1 (or similar) - a virtual Ethernet interface that handles encrypted packet encapsulation.
Node Identity: Each ZeroTier instance has a unique 40-bit address (like 879c0b5265) that serves as its cryptographic identity.
Network Types
Section titled âNetwork TypesâPublic Networks: Anyone can join (rarely used in production) Private Networks: Require authorization from the network controller (recommended)
Prerequisites
Section titled âPrerequisitesâ- RouterOS 7.1rc2 or later
- ARM or ARM64 architecture device (x86 not supported)
- ZeroTier package installed
- Internet connectivity on UDP port 9993
- Access to ZeroTier network controller (my.zerotier.com or self-hosted)
- Network ID of the ZeroTier network to join
Understanding ZeroTier Networking
Section titled âUnderstanding ZeroTier NetworkingâIP Address Assignment
Section titled âIP Address AssignmentâZeroTier networks can assign IP addresses in several ways:
- Managed Assignment: Controller assigns from a pool (most common)
- Manual Assignment: Administrator manually assigns specific IPs
- IPv6 Auto-assignment: RFC4193 or 6plane modes for IPv6
NAT Traversal and Connectivity
Section titled âNAT Traversal and ConnectivityâZeroTier uses sophisticated NAT traversal techniques:
Direct Connection: When possible, nodes connect directly using UDP hole punching Relayed Connection: If direct connection fails, traffic routes through planet servers Local Network Discovery: Nodes on the same LAN can discover each other directly
Configuration Steps
Section titled âConfiguration StepsâStep 1: Install ZeroTier Package
Section titled âStep 1: Install ZeroTier PackageâDownload and install the ZeroTier package (if not already installed):
/system package print where name=zerotierIf not present, download from MikroTikâs extra packages and reboot after installation.
Step 2: Enable ZeroTier Instance
Section titled âStep 2: Enable ZeroTier InstanceâEnable the default ZeroTier instance:
/zerotier enable zt1Step 3: Join Network
Section titled âStep 3: Join NetworkâJoin your ZeroTier network using the 16-character network ID:
/zerotier interface add network=1d71939404912b40 instance=zt1 name=zerotier-mainStep 4: Configure Firewall Rules
Section titled âStep 4: Configure Firewall RulesâAllow ZeroTier traffic through the firewall:
/ip firewall filter add action=accept chain=input in-interface=zerotier-main place-before=0 comment="Allow ZeroTier management"/ip firewall filter add action=accept chain=forward in-interface=zerotier-main place-before=0 comment="Allow ZeroTier forwarding"Verification
Section titled âVerificationâCheck that the ZeroTier interface is created and attempting to connect:
/zerotier interface printExpected Output:
Flags: R - RUNNING# NAME MAC-ADDRESS NETWORK NETWORK-NAME STATUS0 R zerotier-main 42:AC:0D:0F:C6:F6 1d71939404912b40 modest_metcalfe ACCESS_DENIEDVerify the interface receives an IP address after authorization:
/ip address print where interface=zerotier-mainExpected Output (after authorization):
Flags: D - DYNAMIC# ADDRESS NETWORK INTERFACE0 D 192.168.192.105/24 192.168.192.0 zerotier-mainNetwork Authorization Process
Section titled âNetwork Authorization ProcessâFor Private Networks
Section titled âFor Private NetworksâIf the network is private (recommended), you must authorize the device:
- Check Node Address:
/zerotier printNote the identity (first 10 characters, e.g., 879c0b5265)
-
Authorize via Controller:
- Log into my.zerotier.com (or your controller)
- Navigate to your network
- Find the new node in the members list
- Check the âAuthorizedâ checkbox
- Optionally assign a specific IP address
-
Verify Authorization:
/zerotier interface printStatus should change from ACCESS_DENIED to OK
Understanding Member Status
Section titled âUnderstanding Member StatusâACCESS_DENIED: Node is not authorized (private networks only) OK: Node is authorized and connected NOT_FOUND: Network ID doesnât exist or node canât reach controller PORT_ERROR: Local port conflict (rare) CLIENT_TOO_OLD: ZeroTier version incompatible
Advanced Configuration
Section titled âAdvanced ConfigurationâAllowing LAN Access Through ZeroTier
Section titled âAllowing LAN Access Through ZeroTierâTo allow ZeroTier clients to access your local LAN:
- Add route in ZeroTier controller pointing your LAN subnet to this routerâs ZeroTier IP
- Configure source NAT (if needed):
/ip firewall nat add chain=srcnat out-interface=ether2 src-address=192.168.192.0/24 action=masquerade comment="ZeroTier to LAN access"Multiple Network Membership
Section titled âMultiple Network MembershipâJoin multiple ZeroTier networks:
/zerotier interface add network=8056c2e21c000001 instance=zt1 name=zerotier-work/zerotier interface add network=a09acf0233000002 instance=zt1 name=zerotier-homeEach network gets its own virtual interface and IP address space.
Custom Instance Configuration
Section titled âCustom Instance ConfigurationâCreate additional ZeroTier instances for isolation:
/zerotier add name=zt-isolated port=9994/zerotier enable zt-isolated/zerotier interface add network=your-network-id instance=zt-isolatedTroubleshooting
Section titled âTroubleshootingâProblem: Status shows âACCESS_DENIEDâ
Section titled âProblem: Status shows âACCESS_DENIEDââCause: Network is private and node isnât authorized Solution:
- Verify network ID is correct
- Check authorization in network controller
- Wait up to 60 seconds for status to update
Problem: Status shows âNOT_FOUNDâ
Section titled âProblem: Status shows âNOT_FOUNDââCause: Network doesnât exist or connectivity issues Solution:
- Verify network ID (case-sensitive, exactly 16 characters)
- Check internet connectivity:
/ping 8.8.8.8 - Verify UDP port 9993 isnât blocked
Problem: Canât ping other ZeroTier nodes
Section titled âProblem: Canât ping other ZeroTier nodesâCause: Firewall blocking traffic or routing issues Solution:
- Check firewall rules allow ZeroTier interface
- Verify both nodes are authorized on the network
- Test with:
/ping [remote-zerotier-ip] interface=zerotier-main
Problem: High latency or packet loss
Section titled âProblem: High latency or packet lossâCause: Connection is being relayed through planet servers Solution:
- Check if direct connection is possible:
/zerotier peer print - Look for âRELAYâ in path - indicates relayed connection
- Consider network configuration (symmetric NAT, firewall rules)
- Enable UPnP/NAT-PMP on router if possible
Problem: ZeroTier interface doesnât get IP address
Section titled âProblem: ZeroTier interface doesnât get IP addressâCause: Network controller not assigning managed IPs Solution:
- Check network settings in controller
- Verify âAuto-Assign from Poolâ is enabled
- Manually assign IP in controller if needed
- Check if IP pool is exhausted
Useful Debug Commands
Section titled âUseful Debug Commandsâ# Check ZeroTier instance status/zerotier print detail
# View peer connections and paths/zerotier peer print
# Monitor interface statistics/interface monitor zerotier-main
# Check routing table for ZeroTier routes/ip route print where gateway~"zerotier"
# View ZeroTier-specific firewall hits/ip firewall filter print stats where comment~"ZeroTier"Security Considerations
Section titled âSecurity ConsiderationsâNetwork Isolation
Section titled âNetwork IsolationâZeroTier interfaces should be treated like any other network interface:
# Restrict ZeroTier access to specific services/ip firewall filter add chain=input in-interface=zerotier-main protocol=tcp dst-port=22 action=accept comment="SSH from ZeroTier"/ip firewall filter add chain=input in-interface=zerotier-main protocol=tcp dst-port=80 action=accept comment="HTTP from ZeroTier"/ip firewall filter add chain=input in-interface=zerotier-main action=drop comment="Block other ZeroTier access"Private Network Best Practices
Section titled âPrivate Network Best Practicesâ- Always use private networks for production
- Regularly audit network members and remove unused devices
- Use descriptive member names in the controller
- Consider network segmentation for different device types
- Monitor connection logs for suspicious activity
Firewall Integration
Section titled âFirewall IntegrationâZeroTier traffic appears as regular network traffic once decrypted:
# Allow specific ZeroTier subnets only/ip firewall address-list add list=zerotier-allowed address=192.168.192.0/24/ip firewall filter add chain=forward src-address-list=zerotier-allowed action=acceptCommon Use Cases
Section titled âCommon Use CasesâRemote Site Connection
Section titled âRemote Site ConnectionâConnect branch offices without complex VPN setup:
- Each site joins the same ZeroTier network
- Configure routing to allow inter-site communication
- Use ZeroTier for management traffic, local internet for user traffic
IoT Device Management
Section titled âIoT Device ManagementâSecurely manage IoT devices across multiple locations:
- Devices join ZeroTier network for management
- No need to expose SSH/HTTP to internet
- Centralized monitoring and configuration
Mobile Worker Access
Section titled âMobile Worker AccessâProvide secure access to company resources:
- Mobile devices join company ZeroTier network
- Access internal services without traditional VPN complexity
- Works seamlessly across different internet connections
Performance Optimization
Section titled âPerformance OptimizationâConnection Quality
Section titled âConnection QualityâMonitor connection paths to optimize performance:
/zerotier peer printLook for:
- âactive,preferredâ indicates good direct connection
- âRELAYâ indicates suboptimal relayed connection
- Latency values for connection quality assessment
MTU Considerations
Section titled âMTU ConsiderationsâZeroTier adds encryption overhead. Default MTU is 2800 but may need adjustment:
/interface set zerotier-main mtu=1400Test with different MTU sizes if experiencing fragmentation issues.
Related Topics
Section titled âRelated TopicsâVPN Alternatives
Section titled âVPN Alternativesâ- WireGuard VPN - modern peer-to-peer VPN
- WireGuard Site-to-Site - RouterOS native WireGuard
- IPsec IKEv2 - enterprise VPN standard
- L2TP VPN Server - legacy VPN option
Prerequisites
Section titled âPrerequisitesâ- Package Installation - install ZeroTier package
- Firewall Basics - allow ZeroTier traffic
Network Configuration
Section titled âNetwork Configurationâ- Static Routes - routing through ZeroTier network
- NAT - masquerade for LAN access
- Bridge Configuration - Layer 2 ZeroTier integration
Security
Section titled âSecurityâ- IP Services - management access restrictions
- Firewall Address Lists - ZeroTier subnet control