GL-AXT1800 (Slate) WISP Repeater - Tailscale falls back to relay connections

I have a Slate setup in repeater mode with Tailscale setup. My goal here to run the Slate itself as a tailnet node with restic (+ restic-rest-server) as a target for sending backups from various other physically distributed nodes.

Tailscale is installed and I can connect from other devices in the tailnet on both the LAN and WAN side of the Slate. While I have tailscale ssh ... connections open and I check tailscale status I see direct connections:

root@GL-AXT1800:~# tailscale status
100.110.55.117  gl-axt1800           dwight@      linux   -
100.79.147.97   chadwick             dwight@      linux   active; direct 10.0.0.178:41641, tx 3244 rx 4212
dwight@chadwick:~ $ tailscale ping gl-axt1800
pong from gl-axt1800 (100.110.55.117) via 10.0.0.180:41641 in 3ms

However shortly after I start a restic backup (http mode), the tailnet connection is falling back to a DERP relay:

dwight@chadwick:~ $ tailscale ping gl-axt1800
ping "100.110.55.117" timed out
ping "100.110.55.117" timed out
pong from gl-axt1800 (100.110.55.117) via DERP(syd) in 162ms
pong from gl-axt1800 (100.110.55.117) via DERP(syd) in 200ms

The backup succeeds, so the relay is doing it's thing, it's just unworkable at these speeds.

What have I tried?

Seems like it's potentially a firewall issue. I've tried adding a rule that allows tcp 8000 but that didn't have any effect. Maybe I have this misconfigured and it's not actually doing what I want it to?

The only other thing I found that I thought maybe useful to try out was setting the MTU on the WISP Repeater to 1280 to match the tailscale limit[1]. Unfortunately this didn't seem to have any effect.

I've also installed iperf and tcpdump. Same sort of thing happens:

root@GL-AXT1800:~# iperf -s -p 8000
------------------------------------------------------------
Server listening on TCP port 8000
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 100.110.55.117 port 8000 connected with 100.79.147.97 port 48208 (peer 2.1.8)
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  1.25 MBytes  1.05 Mbits/sec
root@chadwick:~# iperf -c gl-axt1800 -p 8000 -l 100 -b 1M
------------------------------------------------------------
Client connecting to gl-axt1800, TCP port 8000
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  1] local 100.79.147.97 port 48208 connected with 100.110.55.117 port 8000 (icwnd/mss/irtt=11/1228/2635)
[ ID] Interval       Transfer     Bandwidth
[  1] 0.0000-10.0393 sec  1.25 MBytes  1.04 Mbits/sec

Unfortunately I'm not yet familiar enough with these tools to really put them to work and diagnose this further.

Any and all advice appreciated :slight_smile:


specs/versions:

Hostname: GL-AXT1800
Model: GL Technologies, Inc. AXT1800
Architecture: ARMv7 Processor rev 4 (v7l)
OpenWrt Version: OpenWrt 21.02-SNAPSHOT r16399+171-c67509efd7
Kernel Version: 4.4.60

root@GL-AXT1800:~# tailscale version
1.66.4
  go version: go1.22.3
root@GL-AXT1800:~#

[1] Troubleshooting guide · Tailscale Docs

Hi,

  1. if stop the Restic, if can the tailscale be back to direct connection? and can it always in direct-con?
  2. Tailscale official DERP servers have QoS to limit client speeds, could you try to set up a personal DERP server?
  3. Tailscale official guide shows which firewall port require to open:
    What firewall ports should I open to use Tailscale? · Tailscale Docs
1 Like

Thanks for the pointers.

  1. I have observed that shortly after stopping the restic backup, the direct connection is re-established. It's not immediate and the time it takes to switch from the relay to a direct connection seems to vary.

  2. Thanks for pointing out the option. It’s probably more hassle than it’s worth for my situation. I’m looking to avoid managing more servers.

  3. Is it for sure that firewall rules need to be set for tailnet to maintain direct connections to the Slate?

  1. Probably be worth to try.

As the NAT hole principle of Tailscale/Zerotier is relative complex, NAT layer, port, firewall, etc. and also ISP network factors, I cannot provide other ways, just try our best to optimize the network environment.

If 3 no improve, probably manually change the exit node if the current one has problem without dependent on the Resti.

After a lot more trial and error I think I have isolated the issue to connections while the Slate is in 5G Repeater mode. When the Slate is in 2.4G Repeater mode, WAN ethernet mode, or just via a LAN port connection to the upstream DHCP-enabled router/modem, the Tailscale connections are always direct.

Since the client that is connecting to the Slate is also part of the upstream subnet (via an ethernet connection to the router/modem), I suspect the router/modem may be an issue with the bridging between the ethernet and 5G wifi networks. All the attached clients are receiving 10.0.0.0/24 ip addresses but perhaps there is some firewall in between network devices that I cannot configure.

To test further I need to get the Slate to another location where I can again try the 5G Repeater and exclude the modem/router bridging. I'll try to report back with what I find.

The repeater (WWAN) of the Slate, not only 2.4GHz link can support direct-con, but also 5GHz is supposed to be can direct-con, since it is the same as the 2.4GHz in the repeater connection layer.

Glad to hear the continue test, thanks in advance.