There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices.
Your devices need to be able to communicate directly with each other.
The difficulty for strict firewall configurations is: the my.zerotier.com controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.
Default zerotier-one listening ports are:
9993
Secondary Port, randomized each start up
Random Port for UPnP
If you can allow incoming and outgoing 9993, you may have some luck.
For best results, a device needs be able to send to any address, on any UDP port to directly connect with other devices.
See also: