Hey,
I currently have 3 devices.
One has the controller and a public router.
The other two devices are raspberry pi's, with raspberry pi os (latest, based on bookworm), some services, of many are docker containers.
The two raspberry pi's use the edge tunneler to connect and provide services to the ziti overlay and everything is working more or less.
One big problem is the speed and connectivity to said services.
If a client in the same network as the two pi's want to connect to said services over the ziti overlay, it will go through the public router to the edge tunnel till it lands at the service.
This seems to be very slow, as file uploads fail, hang or disconnect sometimes.
Sometimes the edge tunnel seems to crash (it restarted without me doing anything) and I observed dns resolution failures from clients inside a docker container.
So i thought, that a more direct connection via private edge routers on each of the two pi's could improve this.
I followed multiple topics like DNS resolver not working with Docker - #4 by qrkourier, Creating a second public edge router - #17 by markamind, Access to a service trough private router - #12 by scareything, the docs CLI Mgmt | OpenZiti and some others.
I did get the routers itself working.
I enabled the tunneler mode with tproxy (so that clients on the router can also make requests to the overlay) but this does not seem to work with clients in docker containers, if the router is on the host.
I can connect to services on the router host from other devices.
One problem is that the router starts its own dns server on port 53 on the configured ip in the config or localhost.
Another weird thing seems to be that it adds all the ziti IPs to the loopback interface.
Both points seem in stark contrast to the ziti edge tunneler, where it creates a ziti0 (bridge?) interface, where the dns listens and the environment else is relatively clean.
I did try with the normal resolv.conf file and with systemd-resolved, but the latter kicked the ziti dns server always off, as it does not work as a normal dns resolver.
Is the only (non-sane) solution to run the router (host mode) and edge tunneler on the same device?
Or is there a configuration where i can only have the router, which can act the same as the tunneler but works with docker container as clients?