Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ZeroTierOne adds route: 0.0.0.0 0.0.0.0 25.255.255.254 while default gateway is disallowed! (So it should NOT.) #2423

Open
PizzaProgram opened this issue Jan 15, 2025 · 9 comments
Open

[Bug] ZeroTierOne adds route: 0.0.0.0 0.0.0.0 25.255.255.254 while default gateway is disallowed! (So it should NOT.) #2423

PizzaProgram opened this issue Jan 15, 2025 · 9 comments

Comments

@PizzaProgram
Copy link

I'm testing ZT for a few month now, and sometime on some Windows PCs suddenly the internet stops working.
If the user is disconnecting from the ZT network, the internet is working again.

After long investigation I've realized: there is always a new route appearing in my routing table which should not:

DEST      MASK      GATEWAY          CONNECTION  METRIC   
0.0.0.0  0.0.0.0   25.255.255.254    10.121.15.5  10019

If I type manually with admin rights :
route delete 0.0.0.0 mask 0.0.0.0 25.255.255.254
the internet is fixed again!

This bug exists both on latest (v1.12.2) and older = last Win7 compatible (v1.6.6) versions too.
@PizzaProgram
Copy link
Author

... just to prove: the content of <network-id>.local.conf file is:

allowManaged=1
allowGlobal=0
allowDefault=0
allowDNS=0

The UI is showing the same:
kép

@laduke
Copy link
Contributor

laduke commented Jan 15, 2025

#1040

@PizzaProgram
Copy link
Author

Well, I'm reading this notes, like this part:

The default route workaround is also known, but for this to
work there must be a known default IP that resolves to a known
ARP address. This works for an OpenVPN tunnel, but not here
because this isn't a tunnel. It's a mesh. There is no "other
end," or any other known always on IP.

and I wonder, why could not be solved this with a simple trick:

  • on each defined network, the starting address (like: 10.121.17.1) should be a fake tunnel address?
    There would be a Checkbox, just like "managed" , "DSN" ... called:
  • Fake default IP [ x ] default: True
    it is still not too late to do this.

IMHO prioritising this:

  • "Networks without default routes are "unidentified networks" and cannot have their firewall classification changed by the user (easily)"

instead of:

  • risking complete internet blockade

is not a good concept.
I have used OpenVPN over 10+ years with "undefined network", before the new generation of TAP driver came and asked about network type, and it worked fine enough.

TODO :

This should be a intaller's/user's choise rather than forcing an unwanted route table on us.
So at least one more checkbox should be present:

[x] Add fake GW

which could be turned off!

PS: Users do not have the right to choose the network type anyway!!! Only Administrators.
ZT is asking it again and again each time it connects. (And creates a new adapter.)
A very annoying mechanism, which would also be solved by this.

@laduke
Copy link
Contributor

laduke commented Jan 16, 2025

Thanks for writing this up. It's unlikely this route is the reason your internet is breaking. It's been working this way for like 10 years.
Other options are an overlapping zerotier and physical subnet, or some kind of routing loop.

@PizzaProgram
Copy link
Author

It's unlikely this route is the reason your internet is breaking.

Yes, it does! As I've wrote: the second I delete this route, the internet is restored!
If I disconnect and reconnect ZT >> the same route appears again >> the internet is blocked again!
(Can not even ping 1.1.1.1 nor 8.8.8.8)

This is a fact.

I've red many topics during the last 6 month and I saw many similar cases where the user did not understand what is happening, because they had no knowledge of routing tables and how to diagnose.

And it's not just 1 PC, which produced this, but several around the country on which I installed ZT on. And since I've uninstalled ZT from those PCs, everything went back to normal.

It's been working this way for like 10 years.
Other options are an overlapping zerotier and physical subnet, or some kind of routing loop.

That's why I've suggested: This must be an optional switch. There is no other way now, but still better than nothing. Admins can decide how/if they will re-configure their subnets to exclude first IP of it.

@laduke
Copy link
Contributor

laduke commented Jan 16, 2025

Can you provide steps to reproduce?

@PizzaProgram
Copy link
Author

Can you provide steps to reproduce?

Sorry, I can not, because I do not know why Windows sometimes ignores the metric of default route.
Sometimes it happens on some PCs 2-3 times a day, but normally nothing happens for weeks.

@PizzaProgram
Copy link
Author

I was thinking, and maybe I have an other solution:
What if we leave everything how it is, but:

  • if something is routed to this fake route, so basically back to ZT network,
  • and allowDefault=0 , than:
  • ZT TAP driver should route trafik back internally to the real default gateway?

Would that be possible?

@crzsotona
Copy link

I have occasionally spotted this behavior, and I agree that an option to disable the automatic addition of fake GW would be nice.
I solved this by automatic removal of this route with batch script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@laduke @crzsotona @PizzaProgram