You don’t need UPnP turned on, nor do you need to open 9993.

Each device with Zerotier installed sees itself as on a LAN of the Zerotier IP address range your Zerotier network has created. This works even if they are on physically separate LANs miles apart and behind separate routers (my Raspberry Pis are networked that way across 2 locations). If you want to access devices without Zerotier installed (for example because it cannot run on them) you can “bridge” to the local LAN via Zerotier.

If you have multiple clients on your LAN, it is way less effort - and ongoing management effort - to just set up a gateway to the zeroTier SD-WAN. Grab a Pi, install the ZT client and setup IP routing, add static routes on your primary gateway as appropriate for the address space(s).

I have a second home that I am renovating, I have a Pi on my LAN at home and on the remote one. The Pis route traffic from their respective Local ethernet interface to the virtual zeroTier one. The routers at each location have static routes to route to the address space of the other location and also the zeroTier LAN.

The whole thing took me about an hour to set up from start to finish and has been working completely transparently for months. I have to say out of all of the various network fiddling around I have done over the years, this has been the least amount of effort/most reliable.

<edit> oops - this ended up in the wrong place - should have been in response to the question about multiple clients..

Little note I didn't see in the comments:

outgoing udp needs to be allowed. If only allow 9993 out, you'll only be able to peer with things that are listening on 9993. So basically only the roots.

Anything behind a NAT is going to be mapped through some random port.

Even the my.zerotier.com controllers are not on 9993.