@Dashrender said in ZeroTier Question:
Ultimately, the simplest solution might be to completely rework your network as follows:
Production network physical, only thing on this network is servers and printers, including DNS servers, configure non ZT NICs to not register with DNS - this is critical (though could break things like clustering)
PC internal network, This network has PCs a DHCP server on it, DNS is something global, like 8.8.8.8
Guest network, Guest PCs and a DHCP server, DNS is something global, like 8.8.8.8
(really splitting the guest and PC internal is really more for show than anything)
All business devices have ZT installed with the ZT network having DNS configured for Production DNS servers.
The PC's would need to have their ZT IPs manually added to production DNS.
How this works: The ZT PCs will have access to the Production network through ZT network, and will use that because the production network will use the ZT DNS servers. You'll never have to worry about IP issues because the only ones in DNS should be the ZT ones. Non ZT users will use global DNS and that will resolve to something on your firewall and your firewall should forward as needed internally.
I think this may cause bigger issues as there are rules on the core switch which is on the ZT/LAN side to allow access to the printer, exchange server, and the DHCP/DNS server.
