GL-MT3000 stops working when connecting to Tailscale Exit Node

sharepoint · October 12, 2023, 5:15pm

I have a Raspberry Pi that is connected to my home router that is configured as a Tailscale exit node. I have everything setup and it works perfect when I connect to the Pi exit node with my phone Tailscale app.

However, on my Beryl AX, whenever I enable “Custom Exit Node” → and choose “Exit Node” as my Raspberry Pi, the internet stops working on my GL-MT3000. Once I turn the exit node setting off, everything works again.

I have tried this in the previous two firmware versions and currently have the 4.5.0 beta.

I tried following the instructions here on creating a new Tailscale Firewall zone but it’s not clear to me where this “Firewall - Zone Setting” is - Help to configure tailscale as a proxy service - Installing and Using OpenWrt - OpenWrt Forum

I have also enabled subnet routes 192.168.8.0/24 of the Beryl AX in the Tailscale Admin Console by enabling “Allow Remote Access WAN” and going to the Tailscale settings for my Raspberry Pi → edit route settings → Subnet routes and enabling the 192.168.8.0/24.

Does anyone know how to solve this? Thank you.

sharepoint · October 12, 2023, 6:05pm

Tomorrow I will access the Pi and write the following command:

`sudo tailscale up --accept-routes`

ikun · October 13, 2023, 2:10am

hi,

Could you execute the following commands and PM me the result? There are some seetings needs to be check, like mentioned in post GL.iNET AXT1800 Tailscale fail to connect - #7 by KingRichard

 ifconfig
 tailscale status
 ip rule
 ip route show table 55
 ip route

sharepoint · October 13, 2023, 2:56am

Where do I enter those commands?

ikun · October 13, 2023, 3:01am

You can access router via ssh using tools like xshell, SecureCRT,etc.

sharepoint · October 13, 2023, 3:14am

Which router? The home router? The Raspberry Pi acting as the node connected to the home router? Or my GL-MT3000?

Would PowerShell work?

ikun · October 13, 2023, 4:30am

Entering these command on your GL-MT3000.You can enter ssh using command ssh root@192.168.15.1 with cmd window or powershell, replacing 192.168.15.1 with your LAN IP(default 192.168.8.1), and the password for ssh is the same as the web password(which you set on web ui).

sharepoint · October 13, 2023, 6:31am

Thank you for the clarification. I think I actually got it working by taking the below steps:

I set everything up following the instructions I shared with you above.

Tailscale works as advertised on my GL-MT3000. However, when I turned on “Custom Exit Nodes”, the internet completely stopped. Turn that setting off, it works again. These are the steps I took to remedy this:

Allowed Remote Access WAN and Allowed Remote Access LAN in the Tailscale settings on the GL-MT3000

Logged in to my Raspberry Pi and inputted the following command:

 sudo tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24 --accept-routes --advertise-exit-node

Went to my Tailscale Admin Panel under Machines and I edited route settings for both the Raspberry Pi and the GL-MT3000 to accept the below two IP address:
```
 192.168.0.0/24
 192.168.1.0/24
```
I then went back to my GL-MT3000 Admin Panel, enabled Tailscale + Allow Remote Access WAN and LAN + Custom Exit Nodes and the internet works.

I don’t fully understand what I did by editing the route settings, approving the two IP address, and having these two devices as a Subnet.

Did I do anything wrong and am I exposing myself to any security risks here?
I have a setting in my home router under the connected Raspberry Pi where I can 'Always assign this network device the same IPv4 address" - should I turn this setting on?

ikun · October 13, 2023, 7:34am

The action “Allow Remote Access WAN and LAN” is same as what you execute on Raspberry Pi(–advertise-routes=192.168.0.0/24,192.168.1.0/24), which is to advertise MT3000 WAN/LAN subnet to all the nodes of your tailnet, for other nodes(like Raspberry Pi) also need to know the routes to MT3000.In short ,MT3000 should has the routing rules to Raspberry Pi and Raspberry Pi should also knows the routing rules to MT3000.These actions you have done are without any security risks,for these routing rules are advertised on your own tailnet.Could you executed the commands mention above and privete message the result? I want to check if there is any routing conflict on your tailnet.And what is the DNS server of your MT3000?

sharepoint · October 13, 2023, 8:55am

Thank you again for your message.

Yes, I will execute the commands and share it with you via PM later today. I ran it earlier today but did not save it. After I run the following 5 commands, will I just share you the information displayed under “ip route”? Will I be sharing any sensitive information?

 ifconfig
 tailscale status
 ip rule
 ip route show table 55
 ip route

Where can I find the DNS server of my MT3000?

sharepoint · October 13, 2023, 6:13pm

@ikun - I have sent you a PM with the screenshot and details.

Thank you in advance for your help. Thank you!

michaeldale · October 16, 2023, 6:17am

Did something change in FW 4.5.0 beta 1?

Exit node it not working for me now, no internet.

4.4.6 beta and previous stable work ok.

ikun · October 16, 2023, 6:44am

Hi,
4.5.0 replaced mwan3 with kmwan, and policy routes are changed, too.Please run following command and check whether it work normally again.The modifacation will be merged next version. Thanks!

ip rule add from all fwmark 0x80000/0x80000 lookup main

greensnowman · October 17, 2023, 7:38pm

Hi,

I just setup the same kind of setup and I am having the exact same issues. A rasberry pi as an exit node in a different country and I’m using the MT3000 as router (VPN).

I can ping the devices and connect to every device on the network but when I switch on “custom Exit node” like OP I no longer get the internet on the devices under the router. I connected to the MT3000 via ssh and ran the ip rule command but I still am not getting internet.

My current setup:
Model: GL.iNet GL-MT3000
Openwrt Version: OpenWrt 21.02-SNAPSHOT r15812+879-46b6ee7ffc
Kernel Version: 5.4.211
Firmware Version: 4.4.5

ikun · October 18, 2023, 2:17am

Hi
There have some issues with v4.4.5 when turning on Exit node.Please upgrade to v4.4.6 and try again.Thanks!

gogogadget · October 18, 2023, 6:35am

This works, however now my wireguard AllowedIPs are applied to the TailScale network. Not that i’m complaining, but shouldn’t it be seperate rules?

ikun · October 18, 2023, 7:13am

Hi
Vpn policies is implemented using firewall to mark IP, and all the traffic go through the firewall of router.

greensnowman · October 18, 2023, 7:26am

Hi,

I upgraded to 4.4.6 FW. Did a reboot just in case and I’m getting the same behaviour. Tailscale works on the MT3000 but when I activate the custom exit node then the internet doesn’t work for the subnets devices. Mobiles or laptops connected to the MT3000 are not getting an internet connection.

Let me know if you want some logs.

Thanks

ikun · October 18, 2023, 7:49am

@greensnowman
Could you run the mentioned commands and PM me the result? And please make sure subnet routes of MT3000 has been turn on.Thanks!

ikun:

hi,

Could you execute the following commands and PM me the result? There are some seetings needs to be check, like mentioned in post GL.iNET AXT1800 Tailscale fail to connect - #7 by KingRichard
 ifconfig
 tailscale status
 ip rule
 ip route show table 55
 ip route

greensnowman · October 19, 2023, 12:22am

Hi all,

Just posting the solution which I got via the support email. After updating the fireware to the latest version 4.4.6 I then connected to the exit node (the pi) and ran the below command:

sudo tailscale up --reset --accept-routes --advertise-exit-node

For me that solved the issue. My internet works and from the subnet I can connect to other devices no problem also.

Thanks again!