Corporate Firewalls
[](/)
OS / Platform Notes
Routers
Corporate Firewalls
On this page
There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices. Your devices need to be able to communicate directly with each other. ZeroTier uses UDP hole punching to do this. It's a similar process to VoIP STUN/TURN. The difficulty for strict firewall configurations is: the my.zerotier.com controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.
Default zerotier-one listening ports are:
9993
Secondary Port, randomized each start up and after being "offline" for too long.
Random Port for UPnP and NAT-PMP (UPnP or NAT-PMP is not required for ZeroTier hole punching to work)
For best results, a device needs be able to send to any IP address, on any UDP port. If you allow outgoing source:9993 and incoming related return traffic, it'll probably work OK.
If the NAT type is "symmetric" or "strict" or "endpoint dependent mapping" (each vendor uses different terminology) NAT it will be difficult to make direct connections.
Look for Full Cone NAT, options related to VoIP, persistent NAT, Endpoint Independent Mapping, etc…
Ask your vendor. Let us know what works.
Here's a table of the likeliness of a direct connection between two types of NAT:
And a network diagram:
Check zerotier-cli info -j and look at the surfaceAddresses. If that list is growing, you may be behind a difficult NAT.
Check zerotier-cli peers and see if connections to peers you care about are "relayed"
tip
See also: Router Configuration Tips
If you are behind a Palo Alto, you will need some kind of ZeroTier bastion. As far as we know, there's no way to enable endpoint independent mapping. Contact us for help.
See below for some ideas.
PAN-OS 10.1.7 and above have a Persistent NAT feature. Please let us know if this improves your ZeroTier connections.
Nodes behind these BSD based firewalls will probably have trouble making direct connections with the default settings. See OPNsense article
Use persistent NAT. See forum post
Commonly cause of relaying. We haven't seen the SonicWall UI in quite some time. The setting may be be called "Consistent NAT."
Here are a few options:
One simple solution might be: statically port forward to one zerotier node, and use that node as a route between zerotier and physical networks.
If your physical network won't let any UDP flow, host a TCP relay service somewhere physically close to your LAN. Maybe in a DMZ or in a datacenter in the same city. See the TCP Relay guide
OS / Platform Notes
Routers
Corporate Firewalls
On this page
There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices. Your devices need to be able to communicate directly with each other. ZeroTier uses UDP hole punching to do this. It's a similar process to VoIP STUN/TURN. The difficulty for strict firewall configurations is: the my.zerotier.com controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.
Default zerotier-one listening ports are:
9993
Secondary Port, randomized each start up and after being "offline" for too long.
Random Port for UPnP and NAT-PMP (UPnP or NAT-PMP is not required for ZeroTier hole punching to work)
For best results, a device needs be able to send to any IP address, on any UDP port. If you allow outgoing source:9993 and incoming related return traffic, it'll probably work OK.
If the NAT type is "symmetric" or "strict" or "endpoint dependent mapping" (each vendor uses different terminology) NAT it will be difficult to make direct connections.
Look for Full Cone NAT, options related to VoIP, persistent NAT, Endpoint Independent Mapping, etc…
Ask your vendor. Let us know what works.
Here's a table of the likeliness of a direct connection between two types of NAT:
And a network diagram:
How do I know if I'm behind a Difficult NAT?[​](#how-do-i-know-if-im-behind-a-difficult-nat "Direct link to How do I know if I'm behind a Difficult NAT?")
Check zerotier-cli info -j and look at the surfaceAddresses. If that list is growing, you may be behind a difficult NAT.
Check zerotier-cli peers and see if connections to peers you care about are "relayed"
tip
See also: Router Configuration Tips
Vendor Specific Tips[​](#vendor-specific-tips "Direct link to Vendor Specific Tips")
Palo Alto[​](#palo-alto "Direct link to Palo Alto")
If you are behind a Palo Alto, you will need some kind of ZeroTier bastion. As far as we know, there's no way to enable endpoint independent mapping. Contact us for help.
See below for some ideas.
PAN-OS 10.1.7 and above have a Persistent NAT feature. Please let us know if this improves your ZeroTier connections.
OPNSense and pfSense[​](#opnsense-and-pfsense "Direct link to OPNSense and pfSense")
Nodes behind these BSD based firewalls will probably have trouble making direct connections with the default settings. See OPNsense article
Juniper[​](#juniper "Direct link to Juniper")
Use persistent NAT. See forum post
SonicWall[​](#sonicwall "Direct link to SonicWall")
Commonly cause of relaying. We haven't seen the SonicWall UI in quite some time. The setting may be be called "Consistent NAT."
I can't change my Firewall or NAT[​](#i-cant-change-my-firewall-or-nat "Direct link to I can't change my Firewall or NAT")
Here are a few options:
ZeroTier Router[​](#zerotier-router "Direct link to ZeroTier Router")
One simple solution might be: statically port forward to one zerotier node, and use that node as a route between zerotier and physical networks.
TCP relay[​](#tcp-relay "Direct link to TCP relay")
If your physical network won't let any UDP flow, host a TCP relay service somewhere physically close to your LAN. Maybe in a DMZ or in a datacenter in the same city. See the TCP Relay guide
Updated on: 12/07/2024
Thank you!