Trouble setting up a Ziti Ethernet Gateway using ZFW and ZET

Hello,
I am currently trying to set up the Ziti Firewall together with a Ziti Edge Tunnel on a Linux router board with two Ethernet ports.

I followed most of the Zero Trust IoT Wifi-Gateway guide, as that seems to mostly replicate what I am trying to do. ZFW doesn’t seem to properly redirect the packets from the ziti0 interface back to my LAN interface (enp1s0).

I activated verbose mode so that I can take a look at what ZFW is doing, and it seems to be trying to redirect the response back to the LAN interface. I'm not getting any response when digging a ziti domain name, though.

Furthermore, I tested that the direction into ziti0 is not the problem. I can even make requests that are allowed in ZFW (http request) which then show up at the bind configured device (I checked using Wireshark).

Any ideas are appreciated, as this is probably going to be some kind of configuration that I missed.
Thank you for your time!

Laptop:

gelaechter@laptop:~$ dig @100.64.0.2 caddy.ziti
;; communications error to 100.64.0.2#53: timed out
;; communications error to 100.64.0.2#53: timed out
;; communications error to 100.64.0.2#53: timed out

; <<>> DiG 9.20.13 <<>> @100.64.0.2 caddy.zuiti
; (1 server found)
;; global options: +cmd
;; no servers could be reached

ZFW monitor:

admin@nanopi-r3s-lts:~$ sudo zfw -M all
Oct 31 2025 20:54:05.522807880 : enp1s0 : INGRESS : UDP :10.1.1.100:44581[0:e0:4c:71:8f:55] > 100.64.0.2:53[da:e6:88:28:17:49] redirect ---> ziti0
Oct 31 2025 20:54:05.523434388 : ziti0 : INGRESS : UDP :100.64.0.2:53[da:e6:88:28:17:49] > 10.1.1.100:44581[0:e0:4c:71:8f:55] redirect ---> enp1s0

Additional info:

/opt/openziti/etc/ebpf_config.json:

{"InternalInterfaces": [{"Name": "enp1s0"}],
 "ExternalInterfaces": []}

/opt/openziti/bin/user/user_rules.sh

#!/bin/bash
/usr/sbin/zfw --verbose enp1s0
/usr/sbin/zfw --verbose ziti0

zfw -L

admin@nanopi-r3s-lts:~$ sudo zfw -L
INGRESS FILTERS:
type   service id               proto   origin                  destination                     mapping:                                                interface list                 
------ ----------------------   -----   -----------------       ------------------              ------------------------------------------------------- -----------------
accept 2BivX9tofWXm4rrklgVuiW   tcp     0.0.0.0/0               100.64.0.3/32                   dpts=80:80              TUNMODE redirect:ziti0          []
accept 2BivX9tofWXm4rrklgVuiW   udp     0.0.0.0/0               100.64.0.3/32                   dpts=80:80              TUNMODE redirect:ziti0          []
accept 0000000000000000000000   udp     0.0.0.0/0               100.64.0.2/32                   dpts=53:53              TUNMODE redirect:ziti0          []
Rule Count: 3 / 250000
prefix_tuple_count: 3 / 100000

admin@nanopi-r3s-lts:~$ sudo zfw -L -z egress
EGRESS FILTERS:
type   service id               proto   origin                  destination                     mapping:                                                interface list                 
------ ----------------------   -----   -----------------       ------------------              ------------------------------------------------------- -----------------
Rule Count: 0 / 250000
prefix_tuple_count: 0 / 100000

local dig on the gateway:

admin@nanopi-r3s-lts:~$ dig caddy.ziti

; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> caddy.ziti
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58733
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;caddy.ziti.                    IN      A

;; ANSWER SECTION:
caddy.ziti.             60      IN      A       100.64.0.3

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Oct 31 21:28:31 UTC 2025
;; MSG SIZE  rcvd: 55

zfw -L -E

admin@nanopi-r3s-lts:~$  sudo zfw -L -E
lo: 1
--------------------------
icmp echo               :1
pass non tuple          :1
ipv6 enable             :1
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
ot filtering            :0
--------------------------

enp1s0: 2
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :1
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :1
tc egress filter        :1
tun mode intercept      :1
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
ot filtering            :0
--------------------------

end0: 3
--------------------------
icmp echo               :0
pass non tuple          :0
ipv6 enable             :0
verbose                 :0
ssh disable             :0
outbound_filter         :0
per interface           :0
tc ingress filter       :0
tc egress filter        :0
tun mode intercept      :0
vrrp enable             :0
eapol enable            :0
ddos filtering          :0
masquerade              :0
ot filtering            :0
--------------------------

ziti0: 5
--------------------------
verbose                 :1
cidr                    :100.64.0.0
resolver                :100.64.0.2
mask                    :10
--------------------------

sudo tc filter show dev enp1s0

admin@nanopi-r3s-lts:~$ sudo tc filter show dev enp1s0 ingress
filter protocol all pref 1 bpf chain 0 
filter protocol all pref 1 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action] direct-action not_in_hw id 186 name bpf_sk_splice tag 515df427760099ea jited 
filter protocol all pref 2 bpf chain 0 
filter protocol all pref 2 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/1] direct-action not_in_hw id 192 name bpf_sk_splice1 tag aa2d601900a4bb11 jited 
filter protocol all pref 3 bpf chain 0 
filter protocol all pref 3 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/2] direct-action not_in_hw id 198 name bpf_sk_splice2 tag b2a4d46c249aec22 jited 
filter protocol all pref 4 bpf chain 0 
filter protocol all pref 4 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/3] direct-action not_in_hw id 204 name bpf_sk_splice3 tag ed0a156d6e90d4ab jited 
filter protocol all pref 5 bpf chain 0 
filter protocol all pref 5 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/4] direct-action not_in_hw id 210 name bpf_sk_splice4 tag 7b65254c0f4ce589 jited 
filter protocol all pref 6 bpf chain 0 
filter protocol all pref 6 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/5] direct-action not_in_hw id 216 name bpf_sk_splice5 tag 4e38a5e8607ce661 jited 
filter protocol all pref 7 bpf chain 0 
filter protocol all pref 7 bpf chain 0 handle 0x1 zfw_tc_ingress.o:[action/6] direct-action not_in_hw id 222 name bpf_sk_splice6 tag df3c5d531ac8a762 jited

admin@nanopi-r3s-lts:~$ sudo tc filter show dev enp1s0 egress
filter protocol all pref 1 bpf chain 0 
filter protocol all pref 1 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action] direct-action not_in_hw id 240 name bpf_sk_splice tag 108ff1c4bd79f42c jited 
filter protocol all pref 2 bpf chain 0 
filter protocol all pref 2 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/1] direct-action not_in_hw id 246 name bpf_sk_splice1 tag e55132e45dc4a711 jited 
filter protocol all pref 3 bpf chain 0 
filter protocol all pref 3 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/2] direct-action not_in_hw id 252 name bpf_sk_splice2 tag 9ec5f3c00f9ef356 jited 
filter protocol all pref 4 bpf chain 0 
filter protocol all pref 4 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/3] direct-action not_in_hw id 258 name bpf_sk_splice3 tag 9af99a7218e0be3d jited 
filter protocol all pref 5 bpf chain 0 
filter protocol all pref 5 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/4] direct-action not_in_hw id 264 name bpf_sk_splice4 tag d1a536ae48efe657 jited 
filter protocol all pref 6 bpf chain 0 
filter protocol all pref 6 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/5] direct-action not_in_hw id 282 name bpf_sk_splice5 tag 0c2fe303f4e36a3a jited 
filter protocol all pref 7 bpf chain 0 
filter protocol all pref 7 bpf chain 0 handle 0x1 zfw_tc_outbound_track.o:[action/6] direct-action not_in_hw id 300 name bpf_sk_splice6 tag c3facb0d6d06aa5a jited

Hi gelaechter sorry you are running into an issue. The output from the log that you posted in the github issue admin@nanopi-r3s-lts:~$ sudo zfw -M all
Oct 31 2025 20:54:05.522807880 : enp1s0 : INGRESS : UDP :10.1.1.100:44581[0:e0:4c:71:8f:55] > 100.64.0.2:53[da:e6:88:28:17:49] redirect ---> ziti0
Oct 31 2025 20:54:05.523434388 : ziti0 : INGRESS : UDP :100.64.0.2:53[da:e6:88:28:17:49] > 10.1.1.100:44581[0:e0:4c:71:8f:55] redirect ---> enp1s0 looks to be correct this is normal for zfw / ziti0 as it uses xdp redirect to forward dns responses from the ziti0 interface to the LAN interface. If you are not receiving the response on the laptop then there maybe some interoperability issue with the xdp redirect and the OS / interface drivers. From the uname output it looks like you are running Armbian64 and possibly on a NanoPi R3S‑LTS RK3566 based on its hostname is that correct?

This issue was resolved and found to be an issue external to ziti-firewall/ziti. Details can be viewed in this closed github issue Redirection of packets back to origin Interface doesn't work · Issue #107 · netfoundry/zfw · GitHub