Lewati ke konten
Blog

Managing your Mikrotik with ZeroTier

Konten ini belum tersedia dalam bahasa Anda.

Summary
ZeroTier creates a secure, peer-to-peer virtual LAN that makes remote MikroTik devices reachable without public IPs or complex VPNs. This guide covers installation, MikroTik integration, subnet routing, and operational tips.

Remote MikroTik Management with ZeroTier

ZeroTier feels like a LAN that stretches across the planet.

It builds encrypted, peer-to-peer links and gives each member an internal IP.

No public IPs. No painful port forwarding. No heavyweight PKI.

This guide shows practical steps to bring MikroTiks into a ZeroTier network and safely expose local services.

What is ZeroTier?

ZeroTier is a virtual networking platform — a mix of VPN, P2P, and SD‑WAN.

It creates a virtual interface (commonly zt0) on each node.

Nodes join a network using a Network ID.

Members get private IPs and talk securely.

Planet/moon servers assist only with discovery.

Traffic is peer-to-peer when possible.

How ZeroTier works (brief)

  • Controller (Network): you create and manage networks at my.zerotier.com or your own controller.
  • Peers: devices that run the ZeroTier client and join the network.
  • Planet/Moons: discovery/relay helpers (public or self‑hosted).

ZeroTier handles NAT traversal automatically.

Authentication: admin approves new peers in the web console.

Security model

ZeroTier uses modern crypto (Curve25519, authenticated ephemeral keys).

Each node has a keypair and a 40‑bit hardware‑like address.

Admins control which peers are allowed to join.

ZeroTier does not decrypt your traffic on public controllers.

Note: Host your own controller/moons if you need full operational independence.

Quick setup (server, desktop)

  1. Create account and network at https://my.zerotier.com.

  2. Note the Network ID (example: 8056c2e21c000001).

  3. Install client on Linux server or VPS:

Terminal window
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join 8056c2e21c000001
sudo zerotier-cli listnetworks

  1. On the web console, authorize the new node (flip the Auth? toggle).

  2. Confirm internal IPs with zerotier-cli listnetworks.

Simple.

Install ZeroTier on MikroTik (RouterOS 7.5+)

MikroTik provides an official ZeroTier package for RouterOS 7.x.

Steps:

  1. Download the matching zerotier-7.x-<arch>.npk from mikrotik.com.
  2. Upload the .npk to the router files and reboot the device.
  3. Create a ZeroTier interface and join the network:
/interface zerotier add name=zt1 network=8056c2e21c000001
/interface zerotier print
  1. Approve the MikroTik in the ZeroTier web console.

When status shows connected, the router is in the Tailnet.

Tip: Keep the ZeroTier package updated after RouterOS upgrades.

If you want devices on the router’s LAN to be reachable through ZeroTier, add routing or NAT rules.

Option A — Route the LAN (preferred when possible)

On the MikroTik, announce the local subnet by adding a route and allowing forwarding:

/ip route add dst-address=192.168.88.0/24 gateway=zt1
/ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=!192.168.88.0/24 action=accept

Then ensure ZeroTier peers know the route (advertised via the controller or accepted in settings).

Option B — dst-nat a specific service (narrow and safe)

Map a ZeroTier IP/port to an internal host:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8081 \
    action=dst-nat to-addresses=192.168.88.10 to-ports=80

Access it from another peer using http://<zerotier-ip>:8081.

Warning: Only expose necessary services. Avoid broad route exposure unless you control access tightly.

Useful operational tips

  • Choose non-overlapping private subnets for site LANs to avoid routing conflicts.
  • Use descriptive names in the ZeroTier console to track routers.
  • Group nodes with tags and ACLs for simpler access control.
  • Monitor zerotier-cli output and RouterOS logs for connection issues.

Troubleshooting common issues

  • Node stuck at REQUESTING_CONFIGURATION: Verify the controller is reachable and the node is authorized.
  • No peer-to-peer path: DERP relays will proxy traffic; check performance and consider self-hosted moons.
  • IP conflict with local LAN: Change the ZeroTier assigned range or the local LAN.

Comparison with other solutions

SolutionPublic IP neededEaseBest for
ZeroTierNoVery easyQuick mesh, remote devices behind NAT
TailscaleNoVery easyIdentity-based control planes, teams
WireGuard (manual)SometimesModerateHigh-performance, DIY setups
OpenVPN / IPSecSometimesComplexLegacy compatibility, PKI control

When to pick ZeroTier

  • You need a fast, low-friction mesh across many devices.
  • You must reach devices behind CGNAT without provisioning public IPs.
  • You want a hybrid—peer-to-peer with optional relays and a friendly UI.

If you require strict identity-based ACLs tied to corporate SSO, consider Tailscale.

Where MKController helps: For teams managing large MikroTik fleets, MKController’s NATCloud centralizes remote access and monitoring — reducing per-device networking work while keeping governance and observability.

Conclusion

ZeroTier dramatically reduces the friction of remote management.

It’s fast, secure and fits mixed environments.

With a few RouterOS commands you can connect a MikroTik and reach internal services safely.

Start small: authorize a router, expose one service, then expand routes and ACLs.

About MKController

Hope the insights above helped you navigate your MikroTik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.

With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.

👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control really looks like.