Cannot connect MT-3000 to Tailscale exit node

HalfLife · December 10, 2024, 2:57pm

Hello All,

I'm currently having a problem where I cannot connect my MT-3000 to a TailScale exit node (MT-2500).

When trying to connect, I lose all internet connectivity.

MT-3000 Tailscale Settings:

My other clients, like my Android phone, and Windows laptop, can connect just fine, and all traffic is routed as expected.

I did modify the MT-3000 firewall settings for the WAN zone to accept the tailscale0 device, but no difference.

I also reset the router to factory defaults and did the firewall modification, but still the same issue.

MT-2500 Tailscale settings (exit node):

MT-3000 Firmware Version:

MT-3000 firewall settings:

MT-3000 WAN zone settings:

AdamK · December 10, 2024, 7:46pm

You need to upgrade the Tailscale version on your exit node.

SSH into the router as root and run "tailscale update"

HalfLife · December 11, 2024, 12:35am

Ran the update on the MT-2500 (Server):

Restarted the MT-2500.

Ran the command again, just to verify it updated:

Still no connection

AdamK · December 11, 2024, 1:12am

Did you advertise the subnet routes on the server? I see it’s showing the exclamation mark (!) which means there are unapproved routes.

HalfLife · December 11, 2024, 1:56am

I will test shortly and reply back. I also tested with a raspberry PI as the exit node, and same issue.

HalfLife · December 11, 2024, 2:05am

Ok, so I enabled all the routes, so the exclamation points are gone.

I also added a raspberry PI exit node, just to verify exit node functionality with a different device.

I brought up the rpi exit node via the following command:

sudo tailscale up --advertise-exit-node --advertise-routes=10.0.0.0/24 --accept-routes

My other clients can connect and route traffic through the exit node perfectly.

Note: I turn off the Wireguard Client and the Global "Block all Non-VPN Traffic" option, just to avoid any conflicts for each test.

I still have the same problem.

AdamK · December 11, 2024, 11:41am

No need to advertise subnet routes on the Pi, but I suppose you can if you want.

I haven't seen your Beryl AX shown on the Tailscale Machines page yet. You will need to proper subnets advertised there for it to work. The default IP of GL.iNet routers uses 192.168.8., so if it's still the same then the you need to SSH into the Beryl AX and advertise 192.168.8.0/24.

FYI full instructions for the Tailscale setup are described here: Digital Nomad VPN Tutorial using Wireguard or Tailscale

HalfLife · December 11, 2024, 2:50pm

I advertised the routes on the raspberry pi to allow access to its clients on its LAN that can't install a Tailscale client. If that is incorrect, I will revert that change.

Relevant Device Settings:

Brume 2 (MT-2500) Settings:

RPI Settings:

Beryl AX (MT-3000) Settings:
(The subnet is advertised, and I changed the subnet to 192.168.7.0/24 to avoid conflicts.)

AdamK · December 11, 2024, 3:06pm

Did you remember to enable remote access WAN on the GL.iNet admin panel's Tailscale page for the Brume 2 server/exit node router?

HalfLife · December 11, 2024, 5:15pm

Hi Adam,

This is what it was before on the MT-2500 (Brume 2):

I enabled the toggle now:

I also enabled the WAN subnet route in Tailscale:

I will test this out when I get home, thank you!

HalfLife · December 12, 2024, 1:44am

Ok, so I tested the change and it still doesn't connect.

MT-2500 (Brume 2) settings:

MT-3000 (Beryl AX) settings:

AdamK · December 12, 2024, 2:31am

I think your Firewall Zones are wrong. They look very modified and not like the default. I think your best bet is going to be resetting the travel router and following the steps I provided (and wrote) earlier: Digital Nomad VPN Tutorial using Wireguard or Tailscale

For example, you should have WAN -> Reject, but I'm not seeing that.

HalfLife · December 12, 2024, 2:52am

Hi Adam, I appreciate you hanging in there with me.

Ok, I reset the router and updated Tailscale:

These are now the Firewall Zones (Not modified yet, but will follow your guide):

One interesting tidbit, I did a tailscale status on the MT-3000, and it showed this:

I'm reading posts that say the warning is a red herring, but unsure.

HalfLife · December 12, 2024, 3:02am

Something strange happened. I can perform queries in Google while connected to the Exit Node:

However, attempting to visit any other site fails.

HalfLife · December 12, 2024, 3:06am

I found the issue. I had to change my DNS server entries to use Google's @ 8.8.8.8 and not use the router's.

Thank you a ton @AdamK, you sent me on the right path to get this solved!

I also see in your guide that this is mentioned under Recommended DNS Settings.

I never got far enough in the guide to test that step out, may I recommend having a link to it earlier in the guide just in case someone else has the same issue?

Again, thanks a million!

AdamK · December 12, 2024, 4:03am

Glad to hear it! I will definitely take your advice into consideration and look at placing it higher up, thank you.