Layer 2 Bridge
[](/)
Guides
Advanced Networking
Layer 2 Bridge
On this page
Do you have devices that can't run ZeroTier that you want to access remotely? You can use a small Linux PC as a bridge between ZeroTier and physical networks.
Note
This topic is related to but different from using ZeroTier as a Layer 5 Service Proxy.
You're doing this on your home network and can log in to your router and find the DHCP settings.
You have a keyboard, monitor, and ethernet cable plugged into your Pi. Chances are high we'll break networking and lose access to the Pi.
You're somewhat familiar with the command line and ssh.
We're going to use systemd networking for this. You could probably adapt the concepts to a different Linux network configuration system if you have opinions about systemd.
We used a Raspberry Pi 2 while writing this, but a Pi 3 or 4 should work fine. Anything running a Debian 10+ based distro should be fine. It doesn't have to be a Raspberry Pi, but some of these instructions might be Raspbian specific.
Physical LAN Subnet
Physical LAN DHCP Range
ZeroTier Auto-Assign Range
Default Gateway IP Address (the router)
Bridge IP Address (will be statically assigned)
Create a new ZeroTier network and get the ID. Keep an old network around for secondary way to connect any devices already using ZeroTier.
The DHCP range and ZeroTier Auto-Assign range should be in the same subnet, but not overlap. You'd probably base this off what is already configured on your router.
Install Raspbian OS
Enable SSH
It's easier to login via ssh now and copy/paste commands from the comfort of your own PC.
The DNS name might just work for you:
ssh pi@raspberrypi.local Or ssh pi@<ip-address-of-pi>
Log back in after it's done
https://www.ZeroTier.com/download/
We don't want ZeroTier to manage addresses or routes on $ZT_IF. We're doing it statically below, on the bridge interface.
Set one more variable
Copy the dev name from the listnetworks output for $ZT_IF. It will be something like: zt3jvirser
Go to the Members section of the Network
Open the Wrench Icon for advanced settings and check
Check Allow Bridging
Check Do Not Auto Assign
Authorize the member
Remove existing network stuff
Enable systemd-networkd
Configure interfaces
Write Network Configuration files. Puts ethernet and zerotier into the bridge and configures the bridge with a static IP. See below for DHCP configuration on the bridge.
Review configuration
If needed, edit the files with the editor of your preference.
If it looks good:
You should be able to, from the physical LAN, connect to the Pi via $BR_ADDR
Sometimes the physical interface turns out to be a long "predictable interface name" like: "enb827eb0d4176", sometimes it's just eth0, depending on Raspbian version(???).
https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
Hook up a keyboard and monitor and check with ip addr then edit /etc/systemd/network/25-bridge-br0-en.network to match.
At `my.zerotier.com/network/$NETWORK_ID`->`Settings`->`Advanced`
Delete the default Managed Route. Add the new Managed Route $ZT_ROUTE
Change IPV4 Auto-Assign to Advanced
Remove existing Pool. Create new Pool with start and end from $ZT_POOL
For documentation purposes, assign $BR_ADDR to the ZeroTier bridge member
It should be working now.
Either it worked, and you can ssh back in to $BR_ADDR after a minute, or it didn't work and the Pi isn't on the network anymore and you need to use the keyboard and monitor to figure out what went wrong.
tip
Make a backup of the sd card so you don't have to repeat these steps
Configure bridge with DHCP
Sometimes, iptables rules apply: echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables or iptables -A FORWARD -p all -i br0 -j ACCEPT
See: https://serverfault.com/questions/162366/iptables-bridge-and-forward-chain
Say you have a laptop that is on the ZeroTier network and you bring it home. Now its WiFi address and ZeroTier address are in the same subnet. Which interface/address should your laptop use for internet access? https://en.wikipedia.org/wiki/Longest_prefix_match
Unfortunately the iOS and Android VPN APIs won't let ZeroTier use multicast/broadcast. These are typically how apps auto-discover services on the LAN. 😭 Stay tuned for an article on bridging a ZeroTier network and a WiFi access point.
https://systemd.network/systemd.network.html
https://hackaday.io/project/162164/instructions
Guides
Advanced Networking
Layer 2 Bridge
On this page
Do you have devices that can't run ZeroTier that you want to access remotely? You can use a small Linux PC as a bridge between ZeroTier and physical networks.
Note
This topic is related to but different from using ZeroTier as a Layer 5 Service Proxy.
Assumptions[](#assumptions "Direct link to Assumptions")
You're doing this on your home network and can log in to your router and find the DHCP settings.
You have a keyboard, monitor, and ethernet cable plugged into your Pi. Chances are high we'll break networking and lose access to the Pi.
You're somewhat familiar with the command line and ssh.
We're going to use systemd networking for this. You could probably adapt the concepts to a different Linux network configuration system if you have opinions about systemd.
We used a Raspberry Pi 2 while writing this, but a Pi 3 or 4 should work fine. Anything running a Debian 10+ based distro should be fine. It doesn't have to be a Raspberry Pi, but some of these instructions might be Raspbian specific.
What you'll need[](#what-youll-need "Direct link to What you'll need")
Physical LAN Subnet
Physical LAN DHCP Range
ZeroTier Auto-Assign Range
Default Gateway IP Address (the router)
Bridge IP Address (will be statically assigned)
Create a new ZeroTier network and get the ID. Keep an old network around for secondary way to connect any devices already using ZeroTier.
The DHCP range and ZeroTier Auto-Assign range should be in the same subnet, but not overlap. You'd probably base this off what is already configured on your router.
An example plan[](#an-example-plan "Direct link to An example plan")
Get your bridge device up and running[](#get-your-bridge-device-up-and-running "Direct link to Get your bridge device up and running")
Follow the Raspberry Pi install instructions[](#follow-the-raspberry-pi-install-instructions "Direct link to Follow the Raspberry Pi install instructions")
Install Raspbian OS
Enable SSH
SSH into the Pi[](#ssh-into-the-pi "Direct link to SSH into the Pi")
It's easier to login via ssh now and copy/paste commands from the comfort of your own PC.
The DNS name might just work for you:
ssh pi@raspberrypi.local Or ssh pi@<ip-address-of-pi>
Update the Operating System[](#update-the-operating-system "Direct link to Update the Operating System")
sudo apt update && sudo apt -y full-upgrade && sudo rebootLog back in after it's done
Install ZeroTier[](#install-zerotier "Direct link to Install ZeroTier")
https://www.ZeroTier.com/download/
curl -s https://install.zerotier.com | sudo bashLet's set some shell variables now[](#lets-set-some-shell-variables-now "Direct link to Let's set some shell variables now")
NETWORK_ID=BR_IF="br0"BR_ADDR=GW_ADDR=Join ZeroTier Network[](#join-zerotier-network "Direct link to Join ZeroTier Network")
sudo zerotier-cli join $NETWORK_IDWe don't want ZeroTier to manage addresses or routes on $ZT_IF. We're doing it statically below, on the bridge interface.
sudo zerotier-cli set $NETWORK_ID allowManaged=0Set one more variable
ZT_IF=Copy the dev name from the listnetworks output for $ZT_IF. It will be something like: zt3jvirser
Configure the device in ZeroTier Central[](#configure-the-device-in-zerotier-central "Direct link to Configure the device in ZeroTier Central")
Go to the Members section of the Network
Open the Wrench Icon for advanced settings and check
Check Allow Bridging
Check Do Not Auto Assign
Authorize the member
Switch to systemd networking[](#switch-to-systemd-networking "Direct link to Switch to systemd networking")
Remove existing network stuff
sudo apt remove --purge --auto-remove dhcpcd5 fake-hwclock ifupdown isc-dhcp-client isc-dhcp-common openresolvEnable systemd-networkd
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf;sudo systemctl enable systemd-networkd;sudo systemctl enable systemd-resolved;sudo systemctl enable systemd-timesyncd;Configure interfaces
sudo zerotier-cli set $NETWORK_ID allowManaged=0Write Network Configuration files. Puts ethernet and zerotier into the bridge and configures the bridge with a static IP. See below for DHCP configuration on the bridge.
cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0.network[Match]Name=$BR_IF[Network]Address=$BR_ADDRGateway=$GW_ADDRDNS=1.1.1.1EOFcat << EOF | sudo tee /etc/systemd/network/br0.netdev[NetDev]Name=$BR_IFKind=bridgeEOFcat << EOF | sudo tee /etc/systemd/network/25-bridge-br0-zt.network[Match]Name=$ZT_IF[Network]Bridge=$BR_IFEOFcat << EOF | sudo tee /etc/systemd/network/25-bridge-br0-en.network[Match]Name=eth0 # might be en*[Network]Bridge=$BR_IFEOFReview configuration
tail -n+0 /etc/systemd/network/*If needed, edit the files with the editor of your preference.
If it looks good:
sudo rebootYou should be able to, from the physical LAN, connect to the Pi via $BR_ADDR
If it takes a long time waiting for the network during boot[](#if-it-takes-a-long-time-waiting-for-the-network-during-boot "Direct link to If it takes a long time waiting for the network during boot")
Sometimes the physical interface turns out to be a long "predictable interface name" like: "enb827eb0d4176", sometimes it's just eth0, depending on Raspbian version(???).
https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
Hook up a keyboard and monitor and check with ip addr then edit /etc/systemd/network/25-bridge-br0-en.network to match.
Configure ZeroTier Network[](#configure-zerotier-network "Direct link to Configure ZeroTier Network")
At `my.zerotier.com/network/$NETWORK_ID`->`Settings`->`Advanced`
Delete the default Managed Route. Add the new Managed Route $ZT_ROUTE
Change IPV4 Auto-Assign to Advanced
Remove existing Pool. Create new Pool with start and end from $ZT_POOL
For documentation purposes, assign $BR_ADDR to the ZeroTier bridge member
It should be working now.
Next steps[](#next-steps "Direct link to Next steps")
Either it worked, and you can ssh back in to $BR_ADDR after a minute, or it didn't work and the Pi isn't on the network anymore and you need to use the keyboard and monitor to figure out what went wrong.
tip
Make a backup of the sd card so you don't have to repeat these steps
Appendix[](#appendix "Direct link to Appendix")
Configure bridge with DHCP
cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0.network[Match]Name=$BR_IF[Network]DHCP=yesEOFFAQ[](#faq "Direct link to FAQ")
I can ping the bridge, but not behind it[](#i-can-ping-the-bridge-but-not-behind-it "Direct link to I can ping the bridge, but not behind it")
Sometimes, iptables rules apply: echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables or iptables -A FORWARD -p all -i br0 -j ACCEPT
See: https://serverfault.com/questions/162366/iptables-bridge-and-forward-chain
Why is the Managed Route /23 and the LAN subnet /24?[](#why-is-the-managed-route-23-and-the-lan-subnet-24 "Direct link to Why is the Managed Route /23 and the LAN subnet /24?")
Say you have a laptop that is on the ZeroTier network and you bring it home. Now its WiFi address and ZeroTier address are in the same subnet. Which interface/address should your laptop use for internet access? https://en.wikipedia.org/wiki/Longest_prefix_match
Why is an app on my phone not working over ZeroTier?[](#why-is-an-app-on-my-phone-not-working-over-zerotier "Direct link to Why is an app on my phone not working over ZeroTier?")
Unfortunately the iOS and Android VPN APIs won't let ZeroTier use multicast/broadcast. These are typically how apps auto-discover services on the LAN. 😭 Stay tuned for an article on bridging a ZeroTier network and a WiFi access point.
References[](#references "Direct link to References")
https://systemd.network/systemd.network.html
https://hackaday.io/project/162164/instructions
Updated on: 12/07/2024
Thank you!