I have tailscale running well on several Slate AX’s (including a few as exit nodes), but cannot seem to find a way to make the Slate AX Guest subnet available to TS. I have my primary LAN on 192.168.69.0 and Guest subnet on 192.168.169.0 (examples) and have tried manually adding both the subnets via ssh cli using:
# tailscale up --advertise-routes=192.168.69.0/24,192.168.169.0/24 --accept-dns=false --accept-routes --exit-node-allow-lan-access --exit-node=100.77.212.xx
This does make both routes show as available on the Tailscale web UI, and my primary LAN subnet routes fine via the exit node, but when I connect locally to my source Slate Guest network, it has no internet access at all.
Ideally, I’m trying to get only the Guest network to utilize a TS exit node and then plan to use a firewall zone for the tailscale0 device to ensure the Guest subnet can only communicate via the TS exit node (like a killswitch), but for now can’t seem to find what is blocking the Guest network from routing via TS?
PS - On the exit node, I do see that both subnets should be accepted, which leads me to believe there’s something on the source Slate that’s blocking guest access to TS locally.
# ip route
default via 192.168.0.1 dev wlan-sta0 proto static src 192.168.0.15 metric 20
100.64.0.0/10 dev tailscale0 scope link
192.168.0.0/24 dev wlan-sta0 proto static scope link metric 20
192.168.69.0/24 dev br-lan proto kernel scope link src 192.168.69.1
192.168.169.0/24 dev br-guest proto kernel scope link src 192.168.169.1
“# ip route show table 55” - shows nothing?, but:
# ip route show table 52
default dev tailscale0
100.74.193.xx dev tailscale0
100.77.212.xx dev tailscale0
100.87.121.xx dev tailscale0
100.100.100.xx dev tailscale0
100.119.78.xx dev tailscale0
throw 127.0.0.0/8
throw 192.168.0.0/24
throw 192.168.69.0/24
192.168.71.0/24 dev tailscale0
throw 192.168.169.0/24
I’m clearly missing something in the gl-inet tailscale implementation. I have set custom fw zones, ensured “br-guest” is set as an exact mirror to “br-lan”, and even tried removing my LAN from “–advertise-routes” and only adding my Guest. Even then, LAN will route through the remote exit node and Guest still has no internet access. I cannot find anything in interfaces, networking, firewall or otherwise that is different between the two, but LAN I cannot stop from routing and Guest I cannot get to route at all.
@ikun - Thank you for the answer (even if it sucks
With my typical customer VPN setups I completely sandbox the guest network (dns/everything) so it can only communicate with wgclient for extra security. I was hoping to do the same using tailscale and am just starting to go through the firmware code.
While I understand it’s not supported or standard functionality, are you able to give me any hint on what is blocking Guest from interacting with the TS daemon? I’ve completely re-setup the device, FW zones, client isolation, etc/config/network - and can’t seem to find the missing ingredient. I would have thought it would be as simple as getting the FW out of the way and advertising the subnet, but no… any clue (even via DM) would be appreciated.
hi,
I have PM you a file, please unzip it and replace /usr/bin/gl_tailscale with it. And restart tailscale on Admin Panel. Finally, please run ip route add table 52 throw 192.168.169.0/24 .