Zerotier and Pfsense (UDP hole punching)

Hi (from France), i’ve Just joined this forum.
Thanks to tom for his great videos and vlog ! really appreciate it
I started testing zerotier behind pfsense and as Tom tells in his video : It works great without any configuration in pfsense. But, it seems that zerotier client can’t connect directly to other clients using UDP hole unching since the udp source ports are changed by pfsense. I had to set outbound NAT to static port to get udp hole punching work. Is it the same thing for you, if anyone tried it ?
Thanks a lot

It should work without change because when each end connects the ZT planets they should eventually start talking to each other.

Hi Tom, and thanks for takink time to answer

You are right, a ZT client tries to talk to another client sending a UDP connection to its public ip. At the same time, the client sends to ZT planet the source port used to talk to other end. BUT, since Pfsense changes the source port used to connect, the udp hole punching doesn’t work and the ends keep on talking to eachother using ZT planets. That’s how I understand the udp hole punching. And I can see in Wireshark that the clients can talk to eachother without using ZT planet, only if I set static ports in Pfsense. Does udp hole punching work for you without setting static port ?

Not sure, I will have to do some more testing, perhaps something changed in the protocol since I last tested.

Thanks for your response. The important thing is that I can make it work correctly. ZT is really a great tool that I discovered watching your videos :+1:

1 Like