Tailscale cannot reach subnets on other devices

Hi all,

I’m having issues with the routes to reach my subnets on my pfsense router with tailscale.
To add more information, I have 2 more devices (iphone and ipad) that with their tailscale’s client can reach host on the subnets that my pfsense is advertising.

Here is my configuration

• router: GL-AXT1800
• Firmware: latest snapshot from GL.iNet download center
• OpenWRT version: OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7
• Kernel: 4.4.60
• Tailscale package version: 1.32.2-dev

My issues:

I have a pfsense router witgh tailscale that it’s advertising the following networks:

• 10.0.1.0/24
• 10.0.20.0/24
• 10.0.200.0/24

If I make an ssh connection into my GL-AXT1800 I can ping any host into those networks. But if I try to ping or reach any host from the LAN (10.0.50.0/24) of my gl-inet router I cannot ping or reach them.

I can see that the routes are populated into my gl-inet router

root@GL-AXT1800:~# ip route show table 55
10.0.1.0/24 dev tailscale0
10.0.20.0/24 dev tailscale0
10.0.200.0/24 dev tailscale0

Thanks in advance
Kind regards

Sorry not very clear about the topology. Could you draw a simple picture?

My apologies , this is the diagram. I hope with this information could be clear my explanation

tailscale-pfsense971×441 16.4 KB

Thanks in advance
Kind regards

The following steps is needed to access device under GL-AXT1800.

1. GL adming panel - Allow Remote Access LAN
   

   

   image678×509 21.4 KB

2. Tailscale Admin Console
   Edit route settings… - enable Subnet routes:
   

My fault, My explanation was not clear.
I cannot acces from the computers under gl-ax1800 to the subnets under pfsense (10.0.1.0, 10.0.20.0, 10.0.200.0)

My computer cannot access to my docker server (on the other side)
10.0.50.100 (my pc) ——(cannot access) ——> 10.0.200.100 (my docker server)

From my computer under gl-ax1800 I cannot access to any computer on the other side. the pfsense router is advertising the networks. I can access with my ipad or my iphone when I enabled the tailscale client in any other network (for example 4G), so the subnets under pfsense are well configured.

Sorry misunderstood. I’ll setup a similar topology for testing later.

I’m having similar issues. I think that your answer to ss4pc’s question but I wanted to document my use case here, as well, including feedback.

I just received the Beryl AX which I bought specifically for a travel router that will route my traffic through a tailscale exit node. I don’t have any experience with OpenWRT but saw that Beryl AX was running an openwrt version which supported tailscale, so I thought I’d be fine. My tailscale network is already set up, including my exit node.

I received the Beryl today and tried to install tailscale with Luci. For some reason only the tailscale package is available, but it has a dependency on tailscaled, which was not available, and so I could not install tailscale.

After a lot of searching and poking around I found that the 4.2 supports tailscale natively, so I had to figure out how to install that.

After installing that I went to enable tailscale and turned it on but then had issues with the authentication step. I looked at my RPC traffic and saw requests (get_auth, I think) and empty responses. I noticed a bunch of entries in the log for skip line without '=' Default every time I enable tailscale. So I ssh’ed in and ran tailscale up, went through the auth steps, and it connected.

However, my intention is to route all WAN traffic through tailscale to the exit node to the internet. Something like this:

[Local Network] -> MT-3000 (100.99.49.42) -> tailscale (via internet) -> exit node (100.78.129.41) -> internet

I consider tailscale to be a VPN, so I’m surprised that it’s in the Apps section. Also, there’s no “Block non-VPN traffic” equivalent for tailscale, so I’m starting to get worried that the Beryl won’t do what I bought it for.

In any case, your instructions refer to enabling subnet routes, but there are no subnet routes to enable in the Tailscale UI. I understand that they have to be “requested” by the local app, and that hasn’t happened, so maybe something else is broken? I set the “allow remote access LAN” setting.

Also, I notice even after a few restarts when I turn on the “enable tailscale” button the client doesn’t actually come online (based tailscale status). Only the daemon is started, and when I turn it off via the UI the daemon is stopped, but even when the switch is on in the UI I get

# Health check:
#     - state=Stopped

I tried to manually run tailscale up --exit-node ... but all that did was turn off my local connection altogether. Luckily because tailscale was up I was able to access my Beryl via the tailscale network.

I’ve done some more testing. After the last test where I lost local connection to the internet from my laptop, and also to the Beryl, I stopped tailscale then restarted it and included the --exit-node-allow-lan-access. I thought that allowed access to the exit node’s LAN, but it seems to at least allow me to access my Beryl.

I still can’t access the internet from my laptop, but I can access the internet directly from the Beryl (e.g., running curl). I checked my IP from the beryl (using ipify.org) and it’s the IP of my exit node. This is true for both URLs and IP address. Ie, this doesn’t appear to be a DNS issue.

In other words, it seems that tailscale routing is working as expected from the local device (the beryl) but beryl isn’t sharing

I found and followed these instructions to open up firewall rules via the openwrt interface and it’s working as expected. I can reach the internet through my laptop while tailscale is up, with my public IP address being the exit node’s IP address.

I think my only open question is ensuring that I can’t access the internet directly (equivalent to VPN-only). I guess that’s probably another firewall rule?

This may be caused by your pc 10.0.50.100 having the wrong route to 10.0.200.100.
If using windows, you can try this command to add a static route in cmd:

route ADD 10.0.200.100 MASK 255.255.255.255 10.0.50.1 METRIC 5

10.0.50.1 is AXT1800 LAN IP.

Appreciate your feedback and suggestion.

My colleague told me that firmware 4.2 doesn’t support to be exit node currently because of some bugs.
When it’s ready we will check VPN only/killswitch compatibility.

I do encounter the same failure to bootup tailscale but I’m using slate plus.

I think there’s some confusion in this thread and other similar support threads between tailscale “server” and tailscale “client” because tailscale nodes are serve both roles at the same time. It would be good to be clear on this.

In my case, I’m not trying to use tailscale on my beryl as a “server” (an exit node) – simply as a “client” (a node that connects to an exit node) and routes ALL of my LAN traffic through that node.

I got it working by tweaking the firewall rules in Luci to prevent the LAN from accessing the WAN. Basically, LAN can access tailscale and tailscale can access WAN. And when I manage the tailscale connection from the command line (tailscale up), then it comes up on reboot.

It seems that the Beryl’s UI doesn’t do a very good job of managing the CLI client.

Hi jsr,
I’m having a similar issue in that I lose internet access from any device connected to the GL.iNet router when setting an exit node (UnRAID Tailscale Docker). Do you mind sharing what you did?
I created the tailscale firewall zone and made firewall forwarding to be the same as the pictures from the openwrt forum link you posted. I also ran tailscale up with and without the arguments. Also, is it me or should there not be a tailscale network interface in luci like how one is created for wireguard or ZeroTier?
Thanks!

Hi. I’ll try to help, though I only know about 80% of what I’m doing, and there are a few layers of complexity that you need to break down and dig through.

To answer your questions regarding the interface – I don’t see a tailscale interface in the luci interfaces page (/cgi-bin/luci/admin/network/network) but I do see it on the Devices tab of that same page – it’s greyed out even though it’s working.tailscale0 is also in the ifconfig output.

The first thing you should do is figure out if tailscale exit node works at all. Without using your router can you connect directly from your computer to your exit node and connect to the internet? I like using an IP echoing service (e.g., curl 'http://api.ipify.org/?format=json') to confirm that I’m actually exiting from my exit node, though this only works if your exit node is on a different network.

If that works, then you can execute tailscale up on your router and check tailscale status. Then call the ipify curl command from the router and ping some hosts (e.g. ping 8.8.8.8). I’ve noticed a lot recently that even if my local machine can’t connect to the internet the router can – it’s not an issue with tailscale but an issue with the routing of my LAN traffic to tailscale. You can also ping other tailscale nodes on your network, both using ping 100.x.x.x or tailscale ping 100.x.x.x or tailscale ping nodename. All these should work.

Now that you’ve confirmed the router is up, you have to figure out why your machine won’t connect. Presumably curl and ping won’t be successful from your command line. I just spent some time with this scenario and found that I was able to ping IP addresses and even execute curl 'http://173.231.16.76?format=json' which is – currently – ipify’s IP address. So that made me realize something was wrong with my Beryl (re-)serving DNS. I updated my machine to use Google DNS and it worked fine. Other things you might want to check is if you can ping the tailscale exit node’s tailscale IP address (100.x.x.x) from your local machine.

The previous steps should make it more obvious if you’re looking at a routing issue or something else. I don’t know a ton about routing, or how “fake” interfaces are used, but this is what my routing looks like:

image1044×333 35.7 KB

Changing the DNS on the Beryl did it! It was still trying to use the repeated network’s DNS which was causing problems. So far it’s working ok.
I’ve given it all of the tests I give for my Wireguard server and it’s passing them.

@hansome this may be something to notify the developers about. Changing the Firewall Zones @jsr James shows above plus the ability to have the GL.iNet router inherit the Tailscale DNS like it does with Wireguard.

Thanks!

I spoke too soon. Although it’s been working with my Beryl AX, I have not been able to get it to work with my Slate AX. I am not sure why but I’m guessing it has something to do with being on an older Kernel. Not sure.

Edit: Disregard the above. I kept both GL.iNet routers on at the same time and since both LAN subnets are 192.268.8.1, the routing was botched. Once I turned off the Beryl AX, the Slate AX started working.
Great news!

Please have a look at the following OpenWRT link:

They explicitly define the correct way to run the setup so that an OpenWRT client can use an exit node. This doesn’t work today in in 4.2.0, out of the box. And on the MT3000 I can’t get it to reliably work because it seems as though the UI is fighting the CLI options I’ve configured.

Please fix this - it’s why I purchased this device and it’s not even remotely close to working.

What CLI options did you make? We can check for conflict and solve it for you.
Setting it as an exit node out of the box is in the planning.

Take a look at the link I posted, that document shows how to get it to work and it’s clear that your GUI implementation does not configure things correctly.

To clarify, I’m not talking about using the MT-3000 as an exit node. I just want it connected to my Tailnet and use the exit node I’ve selected for any clients connected to it. That does not work in 4.2.0.

And when I follow the instructions to fix the firewall policy via the OpenWRT interface the connectivity is spotty and the Tailscale process keeps restarting. The package provided is already very outdated so you should also update that or provide users the correct package.

Ultimately the way you’ve integrated Tailscale is very broken. The system does not update the firewall policy correctly like when you use plain Wireguard. Pretty frustrating considering your documentation claims this all works out of the box.

Sorry to be sloppy, will try to fix the problem asap.