Tailscale guest subnet routing not available

I have tailscale running well on several Slate AX’s (including a few as exit nodes), but cannot seem to find a way to make the Slate AX Guest subnet available to TS. I have my primary LAN on 192.168.69.0 and Guest subnet on 192.168.169.0 (examples) and have tried manually adding both the subnets via ssh cli using:

# tailscale up --advertise-routes=192.168.69.0/24,192.168.169.0/24 --accept-dns=false --accept-routes --exit-node-allow-lan-access --exit-node=100.77.212.xx

This does make both routes show as available on the Tailscale web UI, and my primary LAN subnet routes fine via the exit node, but when I connect locally to my source Slate Guest network, it has no internet access at all.

Ideally, I’m trying to get only the Guest network to utilize a TS exit node and then plan to use a firewall zone for the tailscale0 device to ensure the Guest subnet can only communicate via the TS exit node (like a killswitch), but for now can’t seem to find what is blocking the Guest network from routing via TS?

Thank you!

PS - On the exit node, I do see that both subnets should be accepted, which leads me to believe there’s something on the source Slate that’s blocking guest access to TS locally.

On exit node:

      "AllowedIPs": [
        "100.65..x.xx/32",
        "fd7a:115c:xx::xx.xx/128",
        "192.168.169.0/24",
        "192.168.69.0/24"
      ],
      "PrimaryRoutes": [
        "192.168.69.0/24",
        "192.168.169.0/24"
      ],

PPS:

# ip route
default via 192.168.0.1 dev wlan-sta0 proto static src 192.168.0.15 metric 20 
100.64.0.0/10 dev tailscale0 scope link 
192.168.0.0/24 dev wlan-sta0 proto static scope link metric 20 
192.168.69.0/24 dev br-lan proto kernel scope link src 192.168.69.1 
192.168.169.0/24 dev br-guest proto kernel scope link src 192.168.169.1

“# ip route show table 55” - shows nothing?, but:

# ip route show table 52
default dev tailscale0 
100.74.193.xx dev tailscale0 
100.77.212.xx dev tailscale0 
100.87.121.xx dev tailscale0 
100.100.100.xx dev tailscale0 
100.119.78.xx dev tailscale0 
throw 127.0.0.0/8 
throw 192.168.0.0/24 
throw 192.168.69.0/24 
192.168.71.0/24 dev tailscale0 
throw 192.168.169.0/24

I’m clearly missing something in the gl-inet tailscale implementation. I have set custom fw zones, ensured “br-guest” is set as an exact mirror to “br-lan”, and even tried removing my LAN from “–advertise-routes” and only adding my Guest. Even then, LAN will route through the remote exit node and Guest still has no internet access. I cannot find anything in interfaces, networking, firewall or otherwise that is different between the two, but LAN I cannot stop from routing and Guest I cannot get to route at all.

@ikun - anything you can think of?

hi,
Guest network is designed to not go through tailscale.

@ikun - Thank you for the answer (even if it sucks :wink:

With my typical customer VPN setups I completely sandbox the guest network (dns/everything) so it can only communicate with wgclient for extra security. I was hoping to do the same using tailscale and am just starting to go through the firmware code.

While I understand it’s not supported or standard functionality, are you able to give me any hint on what is blocking Guest from interacting with the TS daemon? I’ve completely re-setup the device, FW zones, client isolation, etc/config/network - and can’t seem to find the missing ingredient. I would have thought it would be as simple as getting the FW out of the way and advertising the subnet, but no… any clue (even via DM) would be appreciated.

Thanks,
Ken

hi,
I have PM you a file, please unzip it and replace /usr/bin/gl_tailscale with it. And restart tailscale on Admin Panel. Finally, please run ip route add table 52 throw 192.168.169.0/24 .

1 Like

Saw the file and did that immediately Seems I already had the “throw” rule added from previous attempts.

It works! I now have TS routing on LAN & Guest! THANK YOU!! Pretty sure I can sort out locking it down from here with FW rules.

gl-inet rocks!

Sincerely,
Ken