There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices.
Your devices need to be able to communicate directly with each other.
The difficulty for strict firewall configurations is: the my.zerotier.com controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.
Default zerotier-one listening ports are:
9993
Secondary Port, randomized each start up and after being “offline” for too long.
Random Port for UPnP
If you can allow incoming and outgoing 9993, you may have some luck.
For best results, a device needs be able to send to any address, on any UDP port to directly connect with other devices.
See also: