Tailscale cannot reach subnets on other devices

What in the actual heck is going on with GL-iNet when it comes to Tailscale? I just bought a Beryl AX with the sole intention of connecting it to my tailnet and thus allowing clients behind the Beryl AX full access to not only the machines on my tailnet, but also to ANY machines on ANY subnets that have been advertised to my tailnet.

I've enabled every option on the Tailscale application page EXCEPT choosing an exit node and unequivocally clients behind the Beryl AX cannot reach ANY machines on the actual tailnet and they absolutely can't access any machine on ANY subnet advertised to the tailnet.

I've followed the advice on multiple posts on this thread and none of them cause this functionality (essentially the basic of basic Tailscale functionality) to even work. If I SSH into the Beryl AX and try and ping machines on subnets advertised to the tailnet, it works... kinda... the packet loss is so extreme.. >80% loss, even though I'm testing this in my home on my own actual network connected to the internet via fiber, there shouldn't be ANY packet loss.

At any rate, this all seems to be like way too much of a hassle to even justify keeping this "travel router." I don't even see how GL-iNet can claim to "support" Tailscale when it literally doesn't work at all out of the box. FYI, I'm on the latest stable firmware, 4.5.16. I see where --accept-routes was added to the tailscale command line, but that doesn't even appear to matter one iota.

If I can't figure out how to make this work and work reliably (no packet loss), I'm going to be forced to just return this device.

==============================================================================
EDITING THIS POST AS MY PREVIOUS POSTS ENDED UP BEING POSTED OUT OF ORDER, THE ABOVE IS MY ORIGINAL FIRST POST AND BELOW ARE MY TWO FOLLOW UP POSTS WHILE DOING FURTHER RESEARCH
==============================================================================

1/2
Alright.. so I did a bunch of digging around relevant posts here, reddit, and asking on unifi discord and here are a few things I discovered that need to be fixed by GL-iNet to get this working "out of the box."

First, you need to go into LUCI and goto the firewall and edit the "wan" zone.. goto "advanced settings" and add "tailscale0" to the "covered devices" then save & apply. This will instantly make Tailscale function as intended.

Second, GL-iNet needs to fix their "tailscale" command line, yet again.. --accept-dns=false should be switched to true or omitted completely (as true is the default), this way when your beryl ax is connected to tailscale you'll get proper DNS for things on the tailnet (whether that be Magic DNS or a local dns server that's exposed via the tailnet and likely added by the user to "global nameservers" on the tailscale admin console). Without this change, hostnames of machines on the tailnet (or even worse things on subnets exposed to the tailnet) are completely unresolvable. I'm guessing GL-iNet specifically set this to false because of their advertising around adguard or ad blocking and setting this to true may break that? I don't know, but specifically breaking DNS around the tailnet when the user is specifically enabling tailscale seems rather dumb. At any rate, if you're like me and you run adguard or a pihole on your tailnet (and you intend on always having your beryl on your tailnet when in use, which is probably the primary reason you bought this thing (like me) in the first place.. just go ahead and add your local dns server to the DNS page on beryl web ui.

Anyhow, doing these two things has at least made me likely to maybe keep this beryl.. for now. I'm going to have to put it through its pace on my upcoming trip to truly decide if it's worth keeping. I must say though, my mind is really blown by how Tailscale is specifically called out in the applications with a vanilla beryl and when you enable it.. it well... literally doesn't work at all as intended unless you scouring the internet and happen across a thread like this one to make it work as it should!

2/2
Another option to my first step above is for GL-iNet to build a new firewall zone upon enabling tailscale and also tear the same zone down when disabling tailscale, for the sake of completeness. To see what needs to be built/torn down.. see this post from 2022.. Help to configure tailscale as a proxy service - #2 by pavelgl - Installing and Using OpenWrt - OpenWrt Forum

==============================================================================
ANOTHER EDIT, BECAUSE THE DECISIONS MADE BY GL-INET ARE EXTREMELY FRUSTRATING!
==============================================================================

There should be a dropdown allowing the end user to toggle "--accept-dns" to true or false and at the very least you should allow a custom dns server to be set when enabling tailscale. There's no way we should be forced to inherit the dns server from the primary WAN interface when essentially using a VPN, even though for some reason GL-iNet seems to think it's just an application and not a VPN. :frowning:

Also, the version of tailscale that's being used has a known security vulnerability.. you'd think there would be a way to update to the current version?

3 Likes