Here’s a puzzler for you:
I’m using ZeroTier on my laptop (not any of my GL.iNet routers) and two servers at home.
I have always-on Wireguard VPNs on my LANs behind GL.iNet devices. The VPNs are just for internet access, I’m not using them to get into my network at home while on the road or anything like that.
I added a VPN bypass rule on my Beryl AX (used with my laptop on the road) and my Slate AX at home. These rules look like the following (screenshot includes a couple adjacent rules for comparison):
All this seems to work mostly fine, although ZeroTier doesn’t seem to bypass the VPN 100% of the time for reasons I don’t fully understand - I think it’s not as deterministic about what source port it uses as Tailscale is, but I’m not sure.
Now, here’s my problem:
When I’m on the road and connect my laptop to a Slate Plus which is connected to my Beryl AX in WDS network mode, the ZeroTier network becomes unstable.
If I set up a continuous ping between my laptop and the servers at home, they will fluctuate between responding to pings, timing out, and showing Host Unreachable replies from my laptop’s ZeroTier IP.
But as soon as I disable that VPN bypass firewall rule on the Beryl AX and only the Beryl AX, the ZeroTier network recovers and the problems stop happening! 
What is going on here?
Ideally, I want traffic from ZeroTier (and Tailscale) clients behind my GL.iNet devices to bypass the always-on VPN, because the traffic is already fully secure, and going thru the VPN just adds latency and reduces bandwidth.
Is my VPN bypass rule incomplete? Maybe ZeroTier is sending some other traffic which isn’t covered by that firewall rule, and so some traffic is going thru the VPN and some not?
I’d appreciate it if any of the GLi staff in these forums have some ideas, though I know this is a pretty esoteric problem, and the easy (if unsatisfactory) solution is just to disable the bypass rule and accept the extra latency of having the ZeroTier traffic go thru the VPN. Thanks for any advice anyone has!
