I just got myself a hAP ac2 and put zerotier on, followed your guide, put in a couple of routes, now I can access my NAS and raspberry pi from anywhere from my phone etc. I am really pleased. next I'll set it up for my wireshark packet capture devices and raspberry pi drop boxes.😀
One thing is missing :) for this to work you need to enable managing on the zerotier interface. Mine was off by default. Also if you want to route traffic both ways you can change the NAT masquarade setting to have ALL as output interfaces. These settings made it work for me.
I’ve had opnsense running in a VM with routes in my CCR2004 to get to ZT, was happy to replace it with the new ZT integration in routerOS, and it’s been working amazing
I've been using ZT since it was available in ROS 7, it has a lot of potential! Downside is that there is no hardware encryption available at least on ARMv7 (32bit) and the CPU gets overloaded quickly delivering low throughputs. I had no chance to test it on ARMv8 (64bit) so far, hopefully it performs better.
Have you tried latest versions? We see 0% CPU use in idle, and only slight increase with traffic. Also, try to direct only needed traffic through it, not all of it.
if you have a small 1u rackmount XEON server, load router OS on a VM, allocate enough CPU power, and use that as you gateway from outside... especially if you have access to multiple static IP's from your ISP... you can setup OSPF from your main router to deal with whatever device IP is needed from the ZT VM Router... if you have a better solution, please teach me haha
@@mikrotik I always use latest versions. The issues isn't CPU usage when idle, it is CPU usage when transferring data via ZT due to encryption. It seems that there is no hardware offloading available as in IPSec and that a pity. For example, using a hAP ac2 I cannot squeeze more than 20mbps via ZT because the CPU stresses out.
@@mikrotik Agreed, but when using containers on the same router, tailscale will help exposing them directly into the tailnet in addition to the LAN. For ex. PiHole container can be both LAN and tailnet DNS server by putting router’s Tailscale IP address in the tailscale settings.
the version of zerotier on tik is slightly old? also, how do we implement policies when running the self hosted controller? It seems that a couple of feature are missing, otherwise this is a great package. And yes, as others have said there appears to be no h/w acceleration
@@chumly8596 even if all traffic doesn't go through the cloud, some communication is happening, and you can't be sure what exact information can be passed to their servers. Ability to use own server is nice, but that will defeat the advantage of simplicity of this type of VPN.
@@mikrotik Thanks for the quick reply. That's a totally valid point. It's just the competition (pfSense, OpenWRT comes to my mind) already supports running Tailscale. The one thing I absolutely loved about Tailscale is just how easy is to run exit node (it's just pressing two or three buttons and you're done!) I can understand that supporting yet another feature on RouterOS isn't as straightforward as it may sound. Perhaps consider making a video on how to setup exit nodes on Zerotier and funneling your devices traffic running behind MikroTik through your chosen node.
CCR1xxx are on TILE cpu... not ARM. We can use WireGueard + VxLAN or old school BCP+EoIP. But WG often stops communication and cannot be used for now as production (SUP-94949)
Is it possible to route all the traffic of one pc through another one? I managed to see my home PC at the office using ZeroTier but I could not route all the office traffic through my PC at home.
In what way is performance low? In megabits, or in CPU usage? Zerotier needs a little bit of time to find the optimal path between networks. It could be slow in beginning, but will become faster later. It's not a direct tunnel between networks, it goes in different paths than regular VPN
@@mikrotik Fair enough. But you have a legion of Tilera CCR units out there, a lot of which are quite recent, that you have condemned as out of the ZEROTIER game .. A quick search on your site for routers based on TILE (using the filter) still shows up the following Ethernet routers - CCR1009-7G-1C-PC, CCR1009-7G-1C-1S+, CCR1009-7G-1C-1S+PC, CCR1016-12G, CCR1016-12S-1S+, CCR1036-12G-4S, CCR1036-8G-2S+, CCR1036-12G-4S-EM, CCR1036-8G-2S+EM, CCR1072-1G-8S+.
Dear, @Mikrotik, I have tried installing zerotier on my mikrotik crs326 ARM device with routeros version 7.11.2, i load the package and when i reboot the device on the next start i don't see the menu of zerotier...where is the problem?
what about IPv6? Will it works with IPv6, if I only have a IPv6 on my MikroTik WAN Interface (no native IPv4) and will it connect from anywhere to my locally NAS, which is behind my Mikrotik RouterOS? Thanks for your great work and information in your videos!
ZeroTier works over IPv6 (including v6 only) only and can provide IPv6 (again including v6 only) addressing. It has a special automatic addressing scheme to derive a per node /128 address from the network and node ID. This addressing mode avoids the costs of next hop resolution (NDP/ARP proxying, multicast or in the worst case broadcasts) by embedding the node ID into the IPv6 host addresses. Combined with filter rules to allow only unicast traffic between the provisioned addresses this allows scaling to very large networks by avoiding the control plane "chatter" normally required to provide a convincing Ethernet overlay. It's perfect for management via SSH or (encrypted) API, but won't support your old local multiplayer games.
My advice is to get an ARM based MikroTik device to have all the latest features and best performance. A lof of effort is going into development for ARM now.
Dear, @Mikrotik, I have tried installing zerotier on my mikrotik CCR1009-7G-1C-1S+ i have failed is there a way of going about it. Have tried two methods, upgrading to RouterOs 7.7 , have also tried uploading it from the extra packages. To no avail. What am i missing here.🤔🤔
Great! Every routerboards that I used in my customer's are RB750Gr3. So now, I will need to buy a new RB ARM model to each customer to user this feature. Congratulations Mikrotik!!
@@mikrotik HEX/HEX S MSRP is $60/80. All the RB models you mentioned have MSRP between $180-220. MSRP for the HAP AC2 is $80. And both HEX and HAP AC2 have 5 ethernet ports, what do you mean it has less ports? I guess the only thing that meets the criteria I asked about is the HAP AC2. It's too bad the CCR1000 series can't run ZT either.
same here with any arm hardware. speed very slow only when i install zt on mikrotik and push the lan route in zt web gui. if i install zt agent directly in every workstation without routes then works fine. any ideas??
I don't like how ZT relies on a cloud service. When it comes to networks, I want to handle everything myself. Trusting a cloud provider for your networking seems as smart as trusting Russia for your gas supplies.
I followed this video exactly. I can see my router and desktop in zerotier central, they have assigned ips, I did the routing correct and added the firewall rule. Yet.. I cannot ping my router from my remote desktop, nor does it pass any traffic. Anyone else run into this problem? Thanks in advance.
Mikrotik HAP AC2 (Arm) zerotier not connecting. Mikrotik setup totally in bridge mode and no firewall rules. Zerotier online on device for a day then it still shows connected in the Zerotier panel but cannot ping to device or from device. disabling zerotier instance and re enabling it only show requesting information private. deleting instance has the same effect. I can only upgrade and after the restart it will re connect for one more day. after that I will need to downgrade the O.S (From 7.6 to 7.4.1) re install zerotier and then it connects again. I suspect network issues as I have the same problems on other of the same carrier on windows 10 and windows 11. Those however I have a task scheduler to disable service and re enable after 15min which then works. However not all clients on same carrier have the issue. I have multiple other clients using same Mikrotik or windows clients that work without problems. carrier support just says the do not have anything that can cause this problem.
You don't listen to audio which is published - please use something like Elgato if you don't edit audio and use oversensitive microphones. So many videos are ruined here :/
What exactly is the problem? The audio sounds fine on several types of devices - our studio monitors, a laptop, a regular PC with a Bluetooth speaker. Not sure what you mean..?
I just got myself a hAP ac2 and put zerotier on, followed your guide, put in a couple of routes, now I can access my NAS and raspberry pi from anywhere from my phone etc. I am really pleased.
next I'll set it up for my wireshark packet capture devices and raspberry pi drop boxes.😀
Amazing tutorial, I hope the next video will be how to set up the Zerotier controller on RouterOS
One thing is missing :) for this to work you need to enable managing on the zerotier interface. Mine was off by default. Also if you want to route traffic both ways you can change the NAT masquarade setting to have ALL as output interfaces. These settings made it work for me.
I can't get traffic to go both ways! Can you tell me how you did it?
I’ve had opnsense running in a VM with routes in my CCR2004 to get to ZT, was happy to replace it with the new ZT integration in routerOS, and it’s been working amazing
I've been using ZT since it was available in ROS 7, it has a lot of potential! Downside is that there is no hardware encryption available at least on ARMv7 (32bit) and the CPU gets overloaded quickly delivering low throughputs. I had no chance to test it on ARMv8 (64bit) so far, hopefully it performs better.
Have you tried latest versions? We see 0% CPU use in idle, and only slight increase with traffic. Also, try to direct only needed traffic through it, not all of it.
if you have a small 1u rackmount XEON server, load router OS on a VM, allocate enough CPU power, and use that as you gateway from outside... especially if you have access to multiple static IP's from your ISP... you can setup OSPF from your main router to deal with whatever device IP is needed from the ZT VM Router... if you have a better solution, please teach me haha
@@mikrotik I always use latest versions. The issues isn't CPU usage when idle, it is CPU usage when transferring data via ZT due to encryption. It seems that there is no hardware offloading available as in IPSec and that a pity. For example, using a hAP ac2 I cannot squeeze more than 20mbps via ZT because the CPU stresses out.
I tested RB5009 and could saturate 0.5 Gbit line with zerotier traffic. I think it can even do 1 Gbit since the CPU usage was below 50%.
@@deafno thanks for sharing :)
This was a helpful information and it's easy to use it as well. please add to the other mikrotik versions not only version 7 thank you so much
Amazing tutorial
please, bring this feature to more routers
Next please implement Tailscale as well! I’ve found it to be much more reliable and user-friendly than Zerotier.
Tailscale should run on each device, not on the router.
@@mikrotik Agreed, but when using containers on the same router, tailscale will help exposing them directly into the tailnet in addition to the LAN.
For ex. PiHole container can be both LAN and tailnet DNS server by putting router’s Tailscale IP address in the tailscale settings.
@@mikrotikOPNSense can implement tailsclae
the version of zerotier on tik is slightly old? also, how do we implement policies when running the self hosted controller? It seems that a couple of feature are missing, otherwise this is a great package. And yes, as others have said there appears to be no h/w acceleration
I think ZeroTier should be positioned as WAN network, and you should use a secured tunnel (IPSec for instance) over this connection.
Why? Zerotier is already encrypted
@@mikrotik Oh, Ok
@@mikrotik But it's a third-party service which who knows what can do with the traffic, right?
@@gosich No. The cloud part is for connecting, not for all traffic. Also, you can setup you're own servers and not use the zerotier cloud system.
@@chumly8596 even if all traffic doesn't go through the cloud, some communication is happening, and you can't be sure what exact information can be passed to their servers. Ability to use own server is nice, but that will defeat the advantage of simplicity of this type of VPN.
Really nice and helpful... Thanks!
I would love to see Tailscale support added to MikroTik as well.
Tailscale is normally used on each end point device, not on the router
@@mikrotik Thanks for the quick reply. That's a totally valid point. It's just the competition (pfSense, OpenWRT comes to my mind) already supports running Tailscale. The one thing I absolutely loved about Tailscale is just how easy is to run exit node (it's just pressing two or three buttons and you're done!)
I can understand that supporting yet another feature on RouterOS isn't as straightforward as it may sound.
Perhaps consider making a video on how to setup exit nodes on Zerotier and funneling your devices traffic running behind MikroTik through your chosen node.
BROOO thankyou so much, this really helped and the tutorial was really easy to use as well :)
I use zerotier since the very implementing controller functionality on hap ac3
How many resources does the controller consume? Did controller discovery by other nodes work for you?
@@crestdazoltral7705 My case is bridging physical interfaces with zerotier controller node, under load 10% max cpu consumption
@@crestdazoltral7705 since I pushed zerotier controller node interface to LAN, device discovery works as well
Woah, great video mate!
CCR1xxx are on TILE cpu... not ARM. We can use WireGueard + VxLAN or old school BCP+EoIP. But WG often stops communication and cannot be used for now as production (SUP-94949)
Never seen WG stop on any system. Can you test it on another device? Maybe the cause is outside the router
We need x86 Zerotier , Thank you !
I need that
YES!
Do you have a date for releasing ZT for CHR on x86?
It’s only planned for ARM
@@mikrotik Are you kidding me? Why is there no integration planned in the CHR? In my opinion, ZeroTier is an important function for the CHR.
CHR support? Someday? It’s in the release notes. But when?
Is it possible to add managed routes in you use Mikrotik as a controller?
What to do If im trying to ping devices on the ZT network and their is just packet lost or I can't ssh into the Mikrotik router
Would this be a good (the best/recommended) solution to enabling remote management/access to a fleet of MikroTik LTE devices (with cgnat addresses)?
Excellent idea. Certainly less configuration and more control than manually managing tons of tunnels, or using plain TR069
@@mikrotik but not compatible with our wAP & SCT devices - shame
You can alternatively set an ovpn o wg tunnel client to your server, and then access devices remotely through that tunnel.
Not sure what is "SCT", but "wAP ac" is ARM based, so it's compatible with ZT.
Is it possible to route all the traffic of one pc through another one?
I managed to see my home PC at the office using ZeroTier but I could not route all the office traffic through my PC at home.
Hello, thanks for the video, I have a question, can I send a Wake on Lan to my Synology NAS in this way? Thank you.
Zerotier is 👍
ZT seems great but the performance vs WireGuard seems very low :(
Is WG the only solution for a good performance?
In what way is performance low? In megabits, or in CPU usage? Zerotier needs a little bit of time to find the optimal path between networks. It could be slow in beginning, but will become faster later. It's not a direct tunnel between networks, it goes in different paths than regular VPN
Just use ZT for layer 2 management network and not production traffic
And when do you estimate ZEROTIER becoming available to your TILE CCR units?
Only ARM. CCR is also ARM now.
@@mikrotik Fair enough. But you have a legion of Tilera CCR units out there, a lot of which are quite recent, that you have condemned as out of the ZEROTIER game .. A quick search on your site for routers based on TILE (using the filter) still shows up the following Ethernet routers - CCR1009-7G-1C-PC, CCR1009-7G-1C-1S+, CCR1009-7G-1C-1S+PC, CCR1016-12G, CCR1016-12S-1S+, CCR1036-12G-4S, CCR1036-8G-2S+, CCR1036-12G-4S-EM, CCR1036-8G-2S+EM, CCR1072-1G-8S+.
Yes, but some of the new features are developed for newer models only
@@mikrotik Why not x86,that should be the easist one, or just for FINANCIAL concern?
TILE is dead. RIP. Shed a tear and move on.
Will it support in hAP lite and can i access the LAN devices remotely from anywhere ?
Dear, @Mikrotik, I have tried installing zerotier on my mikrotik crs326 ARM device with routeros version 7.11.2, i load the package and when i reboot the device on the next start i don't see the menu of zerotier...where is the problem?
what about IPv6? Will it works with IPv6, if I only have a IPv6 on my MikroTik WAN Interface (no native IPv4) and will it connect from anywhere to my locally NAS, which is behind my Mikrotik RouterOS? Thanks for your great work and information in your videos!
Of course, in my.zerotier.com there is plenty of options to automatically set up IPv6
ZeroTier works over IPv6 (including v6 only) only and can provide IPv6 (again including v6 only) addressing. It has a special automatic addressing scheme to derive a per node /128 address from the network and node ID. This addressing mode avoids the costs of next hop resolution (NDP/ARP proxying, multicast or in the worst case broadcasts) by embedding the node ID into the IPv6 host addresses. Combined with filter rules to allow only unicast traffic between the provisioned addresses this allows scaling to very large networks by avoiding the control plane "chatter" normally required to provide a convincing Ethernet overlay. It's perfect for management via SSH or (encrypted) API, but won't support your old local multiplayer games.
What is the work-around if some country's government blocks access to the Zerotier web site / portal?
No support on CHR - no have sense for use zerotier in production ...
great, I just installed one
Can I use zerotier to send API commands to NAS behind private network ?
Of course. It makes possible to communicate between any devices in different networks
Is it possible to install the Zerothier package on the model: MIKROTIK HAP AC2 (RBD52G-5HACD2HND-TC) where the processor architecture is: ARM32 bit?
yes
Please update the version of ZT in the Mikrotik package. The current version of ZT is now 1.12.2, and in Mikrotik it is still 1.10.3
Will it be available for CHR on x86?
ARM only
@@mikrotik why this limitation? how it can be implemented on x86?
@@mikrotik do you have any plans? or advices?
My advice is to get an ARM based MikroTik device to have all the latest features and best performance. A lof of effort is going into development for ARM now.
@@mikrotik the problem is that CHR is in the data center and I can’t place arm device here
Dear, @Mikrotik, I have tried installing zerotier on my mikrotik CCR1009-7G-1C-1S+ i have failed is there a way of going about it. Have tried two methods, upgrading to RouterOs 7.7 , have also tried uploading it from the extra packages. To no avail. What am i missing here.🤔🤔
Any plans to integrate in version 6?
Great! Every routerboards that I used in my customer's are RB750Gr3. So now, I will need to buy a new RB ARM model to each customer to user this feature. Congratulations Mikrotik!!
For each purpose, an appropriate hardware is needed. Lower end devices could not have enough resources for all more advanced features.
It's not MTs fault really - the ZT provides the client and decides what CPUs are supported.
@@mikrotik What do you recommend that's comparable to the HEX's performance/price, that can run ZT?
RB3011 is great and more affordable, there is also RB4011 and RB5009 but more expensive. hAP ac² is cheaper, has wireless, but has less ports.
@@mikrotik HEX/HEX S MSRP is $60/80. All the RB models you mentioned have MSRP between $180-220. MSRP for the HAP AC2 is $80. And both HEX and HAP AC2 have 5 ethernet ports, what do you mean it has less ports? I guess the only thing that meets the criteria I asked about is the HAP AC2.
It's too bad the CCR1000 series can't run ZT either.
What is the cheapest RB that I can run ZeroTier on?
mikrotik.com/product/hap_ax_lite
mikrotik.com/product/hap_ac2
WHat are the pro's con's comparing to wireguard?
Not bad. I liked the bot. I launched it, but I don�t understand how to set it up
I can integrate this with Radius (Acrive Directory > NPS) ?
I can create a firewall rules for separate ZT users ?
Yes, in the ZT portal there is a firewall section called "Flow rules" where you can define a lot of interesting restrictons.
Hi can somebody help me? when i try to apply the 2 comands for firewall I get the message "no such item"
Am using mikrotik rb951 ver 6.43.8 where can i find Zerotier package arm64 for it? Please anyone SOS.....
can you install ZT on v 6.49.13 mikrotik router ?
will this work on my Haplite sir?
now i am in a good mood
i used it on my hap ac3 but the speed was bad. did you improve it?
I use it on a hap ac3 and its throughout is as max as ISP could give me
same here with any arm hardware. speed very slow only when i install zt on mikrotik and push the lan route in zt web gui. if i install zt agent directly in every workstation without routes then works fine. any ideas??
@@unaibas4676 I configured a controller node within the router itself +bridged network, it does the job for me without any bottlenecks
I get stuck on status "Requesting_Configuration", any solution?
também estou nessa situação. você conseguiu resolver?
@@copinha_onlinemaybe need aprove in zerotier management
CCR Tile?
I've noticed in 7.2.1 that ZeroTier used 25% of CPU on HAP AC^3, even there was no traffic in that interface. Did someone else noticed that?
Under heavy traffic load or also when idle? It shows 0.1% CPU at most in my device when looking in Tool Profile
@@mikrotik That was when idle. Then when I turned off ZeroTier interface CPU usage decreased to 1-2%. Now, on 7.5 it's working fine.
I don't like how ZT relies on a cloud service. When it comes to networks, I want to handle everything myself. Trusting a cloud provider for your networking seems as smart as trusting Russia for your gas supplies.
As mentioned in the video, MikroTik offers to host the controller yourself. Check the manual link
Day 2 of asking Mikrotik to make a tutorial for their usermanager :)
If we do, we will do it for user manager in v7
@@mikrotik Yes please ❤ because the wiki is lacking information and there isn't alot of info on the forums
What about Zerotier package for 6.48.x?
There is no more development on v6, all new features are added only to v7
Could you please make it so you don't have to reboot a router to install something?
I followed this video exactly. I can see my router and desktop in zerotier central, they have assigned ips, I did the routing correct and added the firewall rule. Yet.. I cannot ping my router from my remote desktop, nor does it pass any traffic. Anyone else run into this problem? Thanks in advance.
Send us your RIF file to support@mikrotik.com and we will check
cool
No support on gr3
Mikrotik HAP AC2 (Arm) zerotier not connecting.
Mikrotik setup totally in bridge mode and no firewall rules. Zerotier online on device for a day then it still shows connected in the Zerotier panel but cannot ping to device or from device. disabling zerotier instance and re enabling it only show requesting information private. deleting instance has the same effect. I can only upgrade and after the restart it will re connect for one more day. after that I will need to downgrade the O.S (From 7.6 to 7.4.1) re install zerotier and then it connects again. I suspect network issues as I have the same problems on other of the same carrier on windows 10 and windows 11. Those however I have a task scheduler to disable service and re enable after 15min which then works. However not all clients on same carrier have the issue. I have multiple other clients using same Mikrotik or windows clients that work without problems. carrier support just says the do not have anything that can cause this problem.
thx
using winbox on macos and yet no official release
Using Wine64. We have a video about it. Works great
@@mikrotik gotcha
✔ 'Allow Managed'
develop for x86 plzzzzzz
I see no sense using ZT? I can do the same with any VPN and WITHOUT having a Man-in-the-Middle (ZT) which Hole-Punches any Firewall.
Because of nearly no configuration needed - simple. Also, how will you do the same with a VPN if both networks have private dynamic IP addresses?
Need mutlipath mikrotik
I dоwnloaded everything is okay
You don't listen to audio which is published - please use something like Elgato if you don't edit audio and use oversensitive microphones. So many videos are ruined here :/
What exactly is the problem? The audio sounds fine on several types of devices - our studio monitors, a laptop, a regular PC with a Bluetooth speaker. Not sure what you mean..?
no. have not.
es ieliku ieksa to zerotier.npk un restarteju ruteri bet man nav veljoprojam zerotier tab
will that work if the routeros device is used in AP mode, just extending my existing wifi. only to be at the local LAN from outside of home.