Feature #9238
open
Add support for Zerotier
0%
Description
Adding support for ZeroTier with its multi-path feature, would give pfS a better position in the SD-WAN market.
Updated by Corey Boyle almost 6 years ago
Excerpt from https://zerotier.com/blog/2018-05-04-128.shtml
1.4.0 should be our next major release. It includes support for multiple concurrent physical network paths (discovered automatically in most cases) with load balancing and much faster handling of path failures. This is step one toward "SD-WAN" features, bringing us closer to our goal of a converged VPN/SDN/SD-WAN/P2P solution. After automatic path bonding and fast fail-over we will be introducing support for QoS (quality of service) rules and very likely a plugin architecture for packet classification.
Updated by Corey Boyle almost 6 years ago
Minimal functionality required would be joining and leaving networks. The controller service is not necessary as that can be done elsewhere on a cheap VPS.
Updated by Corey Boyle over 5 years ago
The integration could be very similar to OpenVPN. An OpenVPN client or server, shows up as a virtual NIC, the same way a ZT network does. ZT virtual NICs could then be assigned to pfS interfaces for firewall purposes.
Updated by Christian McDonald over 5 years ago
Seconding this request!
It seems Corey has and ChanceM have already done most of the heavy lifting:
Ref: https://github.com/ChanceM/pfSense-pkg-zerotier
Ref2: https://github.com/coreybrett/pfSense-pkg-zerotier/
Updated by Corey Boyle over 5 years ago
I don't think my code would be of much use, I was just trying to get the package to work with the latest pfS version. ChanceM did the hard part. For the core pfS team, this would probably be trivial to get done.
Updated by Deon George over 5 years ago
I think it would be pretty awesome if PF supported this. ZT is a great and simple way of securing devices in a virtual network.
Updated by Jim Pingle over 5 years ago
- Project changed from pfSense to pfSense Packages
- Category set to New Package Request
- Target version deleted (
2.5.0)
Updated by Gregory Moore almost 5 years ago
Package has been updated to run on 2.4.4-RELEASE-p3. Still some work to be done on setting up the interfaces, right now it has to be done manually. Controller functionality needs to be redone as the API changed/never was complete.
Updated by
Updated by Corey Boyle over 3 years ago
@Netgate - Any chance this could be added to 2.5 ?
Updated by Amy Nagle over 3 years ago
Just a warning to anyone doing an update from 2.4 to 2.5: make sure you don't have an interface assigned to any zerotier network at the time you do the update. The update process removed the pfSense-pkg-zerotier package, which led to it getting stuck at boot. I had to connect to the console, boot pfSense into single-user mode, and edit /cf/conf/config.xml to remove the interface manually. It will look something like the snippet below. Just remove the entire <optX>...</optX> section, save, and reboot.
<opt6>
<descr><![CDATA[ZEROTIER]]></descr>
<if>ztXXXXXXXXXXX</if>
<spoofmac></spoofmac>
<enable></enable>
</opt6>
Updated by Gregory Moore over 3 years ago
Amy Nagle wrote:
Just a warning to anyone doing an update from 2.4 to 2.5: make sure you don't have an interface assigned to any zerotier network at the time you do the update. The update process removed the pfSense-pkg-zerotier package, which led to it getting stuck at boot. I had to connect to the console, boot pfSense into single-user mode, and edit /cf/conf/config.xml to remove the interface manually. It will look something like the snippet below. Just remove the entire
<optX>...</optX>section, save, and reboot.[...]
I would suspect it removed the zerotier package because there was a version upgrade to the base BSD. Which would result in an interface mismatch. Removal of just the pfSense-pkg-zerotier by it self wouldn't cause this as the interfaces would still come up if zerotier was still installed.
Updated by Amy Nagle over 3 years ago
The pfSense-pkg-zerotier package's uninstall action removes zerotier from the rc.conf.local, so it won't start automatically anymore (see here: https://github.com/ChanceM/pfSense-pkg-zerotier/blob/master/files/usr/local/pkg/zerotier.inc#L66).
Surprisingly, the zerotier package itself wasn't removed and still worked just fine after reinstalling the updated pfSense-pkg-zerotier package. I did, however, update it to the newest version just to limit any potential future issues.
Updated by Gregory Moore over 3 years ago
Amy Nagle wrote:
The pfSense-pkg-zerotier package's uninstall action removes zerotier from the rc.conf.local, so it won't start automatically anymore (see here: https://github.com/ChanceM/pfSense-pkg-zerotier/blob/master/files/usr/local/pkg/zerotier.inc#L66).
Surprisingly, the zerotier package itself wasn't removed and still worked just fine after reinstalling the updated pfSense-pkg-zerotier package. I did, however, update it to the newest version just to limit any potential future issues.
Ah, you're right. Not exactly sure how to handle that one, I guess I assumed if you were going to uninstall the package you wouldn't want zerotier to start. I think the best way to solve it would be to see if I can remove the zt interfaces on uninstall as removing the dependent package would still cause this issue.
Updated by
Updated by Corey Boyle about 1 year ago
This is still a hope and a dream for me. Seems like a great way to add SD-WAN features to pfS.