OPNsense
[](/)
OS / Platform Notes
Routers
OPNsense
On this page
OPNSense
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. They maintain a ZeroTier package.
If you're using more than one OPNsense router with ZeroTier for a site-to-site style VPN, you will run in to a "ZeroTier over ZeroTier" issue. This causes high CPU usage and dropped packets. The work-around is to paste this into the local.conf text box in the opnsense UI:
This prevents zerotier from sending zerotier traffic over zerotier.
See this discussion for more information.
Some more settings you may find helpful for your firewall rules:
This prevents ZeroTier from binding to multiple ports.
If you have computers behind an OPNsense router, they probably won't be able to make make direct, peer to peer ZeroTier connections. pf based routers use Symmetric NAT otherwise known as Endpoint Dependent NAT. This is unfriendly to any peer to peer protocol.
Here are some options:
Described above
ZeroTier will use UPnP or NAT-PMP if they are available.
If you have a small number of ZeroTier clients (and a small number of UDP services in general), enabling Static Port can help.
Firewall -> NAT -> Outbound -> Static Port option. See also the Source Address setting. Each instance of ZeroTier binds to a random source port (in addition to 9993.)
https://docs.opnsense.org/manual/nat.html#outbound
If you have many computers on your network, two services will choose the same port eventually. Then there will be a conflict in the Static NAT and something won't work and you won't remember why.
Next steps
Click here to create your network and start adding devices.
OS / Platform Notes
Routers
OPNsense
On this page
OPNSense
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. They maintain a ZeroTier package.
If you're using more than one OPNsense router with ZeroTier for a site-to-site style VPN, you will run in to a "ZeroTier over ZeroTier" issue. This causes high CPU usage and dropped packets. The work-around is to paste this into the local.conf text box in the opnsense UI:
{ "physical": { "10.0.0.0/8": { "blacklist": true }, "172.16.0.0/12": { "blacklist": true }, "192.168.0.0/16": { "blacklist": true } }}This prevents zerotier from sending zerotier traffic over zerotier.
See this discussion for more information.
Some more settings you may find helpful for your firewall rules:
{ "physical": { "10.0.0.0/8": { "blacklist": true }, "172.16.0.0/12": { "blacklist": true }, "192.168.0.0/16": { "blacklist": true } }, "settings": { "primaryPort": 9993, "portMappingEnabled": false, "allowSecondaryPort": false, "allowTcpFallbackRelay": false }}This prevents ZeroTier from binding to multiple ports.
ZeroTier clients behind OPNsense[​](#zerotier-clients-behind-opnsense "Direct link to ZeroTier clients behind OPNsense")
If you have computers behind an OPNsense router, they probably won't be able to make make direct, peer to peer ZeroTier connections. pf based routers use Symmetric NAT otherwise known as Endpoint Dependent NAT. This is unfriendly to any peer to peer protocol.
Here are some options:
Run ZeroTier on the Router[​](#run-zerotier-on-the-router "Direct link to Run ZeroTier on the Router")
Described above
UPnP/NAT-PMP[​](#upnpnat-pmp "Direct link to UPnP/NAT-PMP")
ZeroTier will use UPnP or NAT-PMP if they are available.
Static Port[​](#static-port "Direct link to Static Port")
If you have a small number of ZeroTier clients (and a small number of UDP services in general), enabling Static Port can help.
Firewall -> NAT -> Outbound -> Static Port option. See also the Source Address setting. Each instance of ZeroTier binds to a random source port (in addition to 9993.)
https://docs.opnsense.org/manual/nat.html#outbound
If you have many computers on your network, two services will choose the same port eventually. Then there will be a conflict in the Static NAT and something won't work and you won't remember why.
Next steps
Click here to create your network and start adding devices.
Updated on: 12/07/2024
Thank you!