There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices.

Your devices need to be able to communicate directly with each other.

The difficulty for strict firewall configurations is: the my.zerotier.com controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.

Default zerotier-one listening ports are:

• 9993

• Random Port based on Node ID

• Random Port for UPnP

Therefore, a device needs be able to send to any address, on any UDP port.

See also:

Router Configuration Tips