Telling ZeroTier not to use Peering LANs for traffic

So, I use ZeroTier as my Layer 2 Mesh network between VMs and Physical hosts, and this morning I got a message telling me I was sending non-allowed traffic over the DE-CIX VLAN… This was news to me, but after some digging, and help from Marek over at Vserver.Site, I managed to find out it was ZeroTier traffic causing the problem. ZeroTier in its nature will try and use all NICs on a machine to find an internet connection… but if you are on a peering VLAN, you do not want this to happen…

So, after more digging, I found the “Local Configuration File” in ZeroTier. This includes some features I did not know about, including how to place Subnets and Interfaces into the “Black List” so they won’t be used by ZeroTier.

I won’t reproduce the config file here, but I will give some tips, and explain what I have done. First, on Debian and Ubuntu, the file lives in /var/lib/zerotier-one/local.conf. If the file does not exist, you can create it. It’s a standard JSON file. What I ended up adding was an IP range for each IX the box was connected to and marked it as black listed. Under settings, I also set the interfacePrefixBlacklist with a list of the interfaces connected to the IXes. An example is below:

This is the example for my machine connected to DE-CIX. ens19, 20 and 21 are connected to the peering VLANs on Munich, Düsseldorf and Hamburg. Given I have stopped sending bad IPv6 traffic, my guess then is the interfacePrefixBlacklist is only required, but I added the IPs also, just in case… I should probably include V6 here too…

When you make those changes, a restart of the ZeroTier service is required. And that is that. After Merak did some checks, and he was happy it was fixed, I was allowed back on the IX… Marek When you make those changes, a restart of the ZeroTier service is required. And that is that. After Merak did some checks, and he was happy it was fixed, I was allowed back on the IX…

AS204994

site of AS204994.net


By tiernano, 2019-11-25