Beryl AX (GL-MT3000) using a tailscale exit node

Gravity8602 · September 27, 2024, 2:39pm

Hi,

I just got a brand new Beryl AX (GL-MT3000) and I wanted to set it up to have an exit node so all the traffic gets routed trough my home network even when travelling with my router.

I tried following the documentation. But in the end my devices connected to the router weren't able to connect to the internet (even when setting manual DNS like those from Google). I also made sure to approve the 192.168.8.0/24 subnet il the Tailscale admin console. As well as use --accept-routes on my exit node device as I saw it could be useful here and was expecting my exit node to do this anyway.

None of these things worked.

What did work though is the manipulation described in this comment. But as I am not super familiar with OpenWRT and the luci interface I am not not 100% sure what these changes mean and if they are safe for me to do.

Could someone help me with this? Did I missing something in my initial configuration? Is the change in the luci configuration expected and safe?

Thank you!

bruce · September 30, 2024, 7:50am

Luci configuration safe.

You can install the TS client in the phone/computer, etc, to verify whether the exit node is available.
If available, please reset router and enable the TS in the GL admin panel, rebind it (let the TS re-create the route table), and in general there are not require configuring anything in the LuCI and SSH.

Gravity8602 · October 2, 2024, 9:43am

Luci configuration safe.

Thank you that is good to know.

You can install the TS client in the phone/computer, etc, to verify whether the exit node is available.

This works fine, I have been using this exist node with my phone and laptop for a while.

If available, please reset router and enable the TS in the GL admin panel, rebind it (let the TS re-create the route table), and in general there are not require configuring anything in the LuCI and SSH.

Just to clarify the ssh config I did was on the machine that acts as the exit node, not on the router itself.
In any case even after a reset my machines that are connected to the router are not able to connect to the internet unless I do the changes in LuCi.

I was able to understand why this is happening though. On tailscale I am not using the default ACLs ({"action": "accept", "src": ["*"], "dst": ["*:*"]}) but instead have been using something more restrictive ({"action": "accept", "src": ["autogroup: member"], "dst": ["*:*"]}).
With my more restrictive ACLs the machines in the 192.168.8.0/24 subnet are not allowed access to the internet. The change in the LuCi configuration allows the machine of the subnet to masquerade as the router (from my understanding thanks to this youtube) and thus to gain access to the tailscale network and internet.
I am not a fan the way this LuCi firewall configuration is done, and I am still a bit afraid that it might be unsafe for some reason when not using the exist node so instead I was able to setup a NAT rule so that traffic gets masqueraded as the router when using the tailscale0 device:

Name: Tailscale
Protocol: Any
Outbound Zone: Any Zone
Source Address: Any
Destination Address: Any
Action: MASQUERADE

Maybe it could be worth it to add a note about ACLs in the official documentation to help others find a solution that works for them.

And for the sake of being complete about my findings adding: Adding this {"action": "accept", "src": ["192.168.8.0/24"], "dst": ["*:*"]} to the ACLs also gives access to tailscale and the internet but it seems to be less safe in my opinion because any machine in the tailnet could expose a subnet like this.

joe.c.sleiman · November 17, 2024, 1:11am

Hello i'm using this AX 3000 wifi 6 router with tailscale,
having this error if you can find the attached, but i have 0 information about networking and stuff,
i tried to add public DNS like (overwrite local DNS on/off) but nothing works.

could you please help me....

Gravity8602 · November 19, 2024, 8:54am

Hello,

i tried to add public DNS like (overwrite local DNS on/off) but nothing works.

From what I can see on your picture you are trying to add dns inside of the tailscale admin console.

You should try setting public dns in the GL.iNet interface. Documentation here.

Also this is a warning not an error. If you don't have any trouble accessing the internet I would just ignore this message.

joe.c.sleiman · November 20, 2024, 1:26am

thank you for your reply, yes i did that now on the router GL GUI -> Network -> DNS, and updated the DNS manually to manuall DNS then DNS server 1 : 8.8.8.8 , and DNS server 2: 8.8.4.4.

the warning/error removed from GL router.
after that:
i have to go to tailscale, I saw this error:
This machine has unapproved routes. Review this from the “Edit route settings...” option in the machine’s menu.

And i fixed that as the sentence said, I clicked on Edit Route setting and then approve all routes, i can now connect through my phone