Hi All

Loving the project please keep up the good work…

We have a alternate SDWAN platform we are attempting to migrate away from, its been running for the last couple of years, so there is a need to run both side by side until Ziti is fully configured. When the previous platform was built we used 100.64.0.0/16 as to not conflict with any customer ranges.

In regards to Ziti, I have built a controller, three Fabric routers these are all online, my first point of config migration is to add Ziti Edge Tunneler on to three Ubuntu Servers running a MariaDB Galera cluster but i cant get the edge tunneller to change its default IP from the 100.64.0.1/10 range. We are trying to use 100.80.0.0/13 instead.

I have tried everything i can find to change the IP range, this includes :-

1. Using the command below, which lists success, but no change, i have restarted the Edge Tunnel service, and restarted the server with no change.

>ziti-edge-tunnel update_tun_ip -t 100.80.0.1 -p 13 -d true
{
"Success":true,
"Code":0
}

2. Updated /opt/openziti/etc/identities/config.json, but this just reverts back to default 100.64.0.1 address and 100.64.0.2 for DNS after a service restart

{
"Active":false,
"Duration":17,
"StartTime":"2025-08-03T22:26:40.516249Z",
"IpInfo":{
"Ip":"100.80.0.1",
"Subnet":"255.248.0.0",
"MTU":65535,
"DNS":"100.80.0.2"
},
"LogLevel":"info",
"ServiceVersion":{
"Version":"v1.7.4",
"BuildDate":"Fri-07/25/2025-16:28:08-UTC"
},
"TunIpv4":"100.80.0.1",
"TunIpv4Mask":13,
"AddDns":true,
"ApiPageSize":25
}

3. Updated /usr/lib/systemd/system/ziti-edge-tunnel.service to the below, again no change.

[Unit]
Description=Ziti Edge Tunnel
After=network-online.target

[Service]
Type=simple

default values

Environment="ZITI_IDENTITY_DIR=/opt/openziti/etc/identities" "ZITI_DNS_IP_RANGE=100.80.0.1/13" "ZITI_VERBOSE=info"

optional override values

EnvironmentFile=-/opt/openziti/etc/ziti-edge-tunnel.env
User=ziti
UMask=0007
AmbientCapabilities=CAP_NET_ADMIN
ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh
ExecStart=/opt/openziti/bin/ziti-edge-tunnel run --verbose=${ZITI_VERBOSE} --dns-ip-range=${ZITI_DNS_IP_RANGE} --identity-dir=${ZITI_IDENTITY_DIR}
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target

no matter how i attempt any of the above, and restart the service or re enroll the identity my ip stays at

>ip a

ziti0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.64.0.1/32 scope global ziti0
valid_lft forever preferred_lft forever
inet6 fe80::f852:491c:5395:b2e5/64 scope link stable-privacy
valid_lft forever preferred_lft forever

Please can any one advise what im missing?

Thanks in advance,

Hello. Thanks for the kind words, and welcome to the Open Ziti discourse!

Regarding the IP that ziti-edge-tunnel assigns to the tun device, I think there may be a couple of things going on. Generally ziti-edge-tunnel will prefer values that were provided via command-line options over those that are in the configuration file ${ZITI_IDENTITY_DIR}/config.json.

When you use the update_tun_ip command it changes the value in the configuration file. But when you start ziti-edge-tunnel as a systemd service, ziti-edge-tunnel is started with command line options that come from the systemd unit files so those will have a higher priority.

I think what’s happening is that you are setting the systemd environment variables in the .service file, but the values are being overridden by the ones in the .env file.

Does /opt/openziti/etc/ziti-edge-tunnel.env exist on your system, and if so does it have a value for ZITI_DNS_IP_RANGE in it? That will be the one you want to change if it exists.

edit:

I couldn’t resist a shoutout to the systemctl cat command, which in my experience is overlooked and makes it easier to see the command that systemd will run when variables/overrides are rendered.

Hi

Thanks for the info, that’s exactly what it was, I have now updated the IP Ranges. Can i check my understanding, as this has now maybe caused a further issue.

Currently I have 3 Sites, so i have used 100.80.0.0/13 (100.80.x.x - 100.87.x.x), I have allocated each site a different IP group with in the range, below is the IP of my DB server per site.

Site 1 - 100.81.0.1/13

Site 2 - 100.82.0.1/13

Site 3 - 100.83.0.1/13

Whilst the server has taken the IP on board, and the controller sees the client as online and connected, DNS can not resolve the “server”.ziti names allocated in the intercept config.

Am i trying to get to involved in the IP allocation side and stopping Ziti doing its thing?

Thanks

The CIDR that’s assigned to the tun interface specifies a few things:

1. the IP address of the tun interface e.g. as seen by ip addr show. e.g. 100.81.0.1.
2. the IP address of the DNS server that can resolve hostnames that appear in your intercept.v1 service configurations. e.g. 100.0.81.2.
3. the range of IP addresses that will be returned by the DNS server. e.g. 100.81.0.0/13 (excluding the base and DNS server IPs)

Starting a tunneler alone does not result in a resolvable hostname. You need to define services with intercept configurations that use hostname addresses. The tunnelers that have Dial permission to a service will be able to resolve the hostnames in the intercept.v1 address list.

Do you have services defined in your network, with service policies that allow your identities to see the services? In general you can check this with the ziti cli policy-advisor command.

I have all the defined services/intercepts with the Dial and Bind configs, it all works if i use the 100.80.0.1/13 as the DNS range across all three sites, if i try an break up the ranges as above adjusting the DNS Ip's as appropriate for the local range it all stops working..

My assumption is that its doesn’t work the way i want, as i wanted each site to use a small portion of the larger range.

Thanks

The DNS range that you choose for a given site/tunneler should make no noticeable difference in behavior assuming the range you’ve selected does not conflict with an existing subnet on your network. Also the IP addresses returned by ziti-edge-tunnel's name server are usually only intended to be meaningful on the host that is running ziti-edge-tunnel.

Can you show me the logs from your ziti-edge-tunnel, the commands that you’re running, and the errors that you’re seeing?

Thanks!

Sorry for the late reply, I have reverted back to the 100.80.0.0/16 range for all sites, and it is now working, i have also been playing with the Source IP fields to present the the original source IP to the target. so i can see what client are connected to aid troubleshooting which clients are connected or not.