ZeroTier in LXC works but I can’t get LAN forwarding working (remote clients can't reach Proxmox LAN)

J

JxckS

New Member
Nov 17, 2025
2
0
1
I finally got ZeroTier to launch inside an LXC and create the ztxxxxxx interface, and the container is joining the network fine. But I still can’t get forwarding/routing working so my remote ZeroTier clients can access anything on the Proxmox LAN. ZeroTier web UI my route is pushed, for my Proxmox LAN, other hosts traceroute to the LXC container but nothing past.

I followed this Proxmox thread:
https://forum.proxmox.com/threads/enabling-tun-by-default-when-starting-a-ct-image-to-get-zerotier-working.122151/
And I added the required settings to /etc/pve/lxc/ID.conf:

features: keyctl=1,nesting=1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
ZeroTier starts perfectly and the interface shows up.

Inside the guest I enabled forwarding:

sysctl -w net.ipv4.ip_forward=1
Since its debian 13 I also added full nftables forwarding + postrouting MASQUERADE inside the LXC (/etc/nftables.conf):

Code: 
table ip nat {
    chain postrouting {
        type nat hook postrouting priority 100;
        oif "eth0" masquerade
    }
}

table inet filter {
    chain input {
        type filter hook input priority filter; policy accept;
    }

    chain forward {
        type filter hook forward priority filter; policy accept;
        # Allow ZeroTier traffic to LAN
        iif "zt..." oif "eth0" accept
        # Allow LAN replies back to ZeroTier
        iif "eth0" oif "zt...." ct state related,established accept
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}
}
What am i missing?
 
Last edited:
Hi,
In case it helps, the procedure that I followed and works is the following.
Now I can connect to all the VM/LXC in my Proxmox server from other zerotier connected devices.

a) in Zerotier configure managed routes:
192.xxx.xxx.xxx/24 (LAN Proxmox) via 10.xxx.xxx.xxx (IP Zerotier del LXC Proxmox)

b) In the LXC do the following commands (this is a mix of several posts found online. For sure can be improved)
PHY_IFACE=eth0
ZT_IFACE=ztw4lehnqx (check the name of the interface of your LXC)
iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
sysctl -w net.ipv4.ip_forward=1

NOTE: these comands do not survive reboot.
If someone can advise how to make it permanent it would be great
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back