Tailscale Setup - Flint 2 and Flint 3

hshah · November 12, 2025, 1:29am

My network spans two properties and I recently bought a GL-MT6000 (Flint 2) for one and GL-BE9300 (Flint 3) for the other. Since I regularly access devices and services remotely, I set up Tailscale on both routers.

Site A:

Flint 3
LAN = 192.168.1.0/24
Tailscale = 100.100.1.1
Allow Remote Access WAN = true
Allow Remote Access LAN = true

Site B:

Flint 2
LAN 192.168.2.0/24
Tailscale 100.100.2.1
Allow Remote Access WAN = true
Allow Remote Access LAN = true

I have nginx for reverse proxying at each site and use my subdomains to point to various services. Connectivity between the two sites worked when using IP addresses, but not the subdomains. To resolve that, I have:

Site A:
nft add rule inet fw4 dstnat iifname "tailscale0" tcp dport { 80,443 } dnat ip to 192.168.1.250
nft add rule inet fw4 srcnat ip saddr 192.168.2.0/24 ip daddr 192.168.1.0/24 masquerade

Site B:
iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.121
iptables -t nat -A PREROUTING -i tailscale0 -p tcp --dport 443 -j DNAT --to-destination 192.168.2.121
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j MASQUERADE

(80 and 443 route to nginx at each site)

The only issue is the fact that the connection is ridiculously slow - when using either IPs or subdomains. Is this a configuration issue or hardware limitation?

will.qiu · November 13, 2025, 8:17am

Hi

Have you checked the connection status and throughput of your Tailscale link?

If your connection is established through a relay node (DERP), performance may be limited by the bandwidth load on the Tailscale relay server.

Even with a direct (peer-to-peer) connection, factors such as geographic distance and ISP routing can affect overall speed.

You can verify and benchmark the connection via SSH using the commands below:

# Check Tailscale connection status
tailscale status

# Install iperf3 for bandwidth testing
opkg update && opkg install iperf3

# On one device, start the iperf3 server
iperf3 -s

# On the other device, run the client tests:
# Upload test
iperf3 -c <tailscale_peer_ip>

# Download test (reverse mode)
iperf3 -c <tailscale_peer_ip> -R

This will help determine whether the speed limitation originates from the Tailscale relay, ISP routing, or local network performance.

Refer:

hshah · November 13, 2025, 10:26am

Thanks! Can't quite tell if the below actually reveals anything.

root@GL-BE9300:~# iperf3 -c 192.168.2.1 -p 5201
Connecting to host 192.168.2.1, port 5201
[  5] local 100.100.1.1 port 42158 connected to 192.168.2.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  7.00 MBytes  58.7 Mbits/sec    0    383 KBytes
[  5]   1.00-2.00   sec  12.0 MBytes   101 Mbits/sec    1    540 KBytes
[  5]   2.00-3.00   sec  10.4 MBytes  87.1 Mbits/sec    0    610 KBytes
[  5]   3.00-4.00   sec  10.5 MBytes  88.0 Mbits/sec    0    661 KBytes
[  5]   4.00-5.00   sec  9.62 MBytes  80.7 Mbits/sec    0    698 KBytes
[  5]   5.00-6.00   sec  12.2 MBytes   103 Mbits/sec    1    510 KBytes
[  5]   6.00-7.00   sec  11.5 MBytes  96.5 Mbits/sec    0    553 KBytes
[  5]   7.00-8.00   sec  11.4 MBytes  95.4 Mbits/sec    0    580 KBytes
[  5]   8.00-9.00   sec  12.1 MBytes   102 Mbits/sec    1    439 KBytes
[  5]   9.00-10.00  sec  11.0 MBytes  92.3 Mbits/sec    1    336 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   108 MBytes  90.4 Mbits/sec    4            sender
[  5]   0.00-10.03  sec   106 MBytes  88.5 Mbits/sec                  receiver

iperf Done.
root@GL-BE9300:~# iperf3 -c 192.168.2.1 -p 5201 -R
Connecting to host 192.168.2.1, port 5201
Reverse mode, remote host 192.168.2.1 is sending
[  5] local 100.100.1.1 port 45608 connected to 192.168.2.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  4.75 MBytes  39.8 Mbits/sec
[  5]   1.00-2.00   sec  6.12 MBytes  51.4 Mbits/sec
[  5]   2.00-3.00   sec  5.38 MBytes  45.0 Mbits/sec
[  5]   3.00-4.00   sec  4.62 MBytes  38.8 Mbits/sec
[  5]   4.00-5.00   sec  4.88 MBytes  40.9 Mbits/sec
[  5]   5.00-6.00   sec  5.75 MBytes  48.2 Mbits/sec
[  5]   6.00-7.00   sec  5.75 MBytes  48.2 Mbits/sec
[  5]   7.00-8.00   sec  5.50 MBytes  46.1 Mbits/sec
[  5]   8.00-9.00   sec  5.88 MBytes  49.3 Mbits/sec
[  5]   9.00-10.00  sec  5.88 MBytes  49.3 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.03  sec  55.3 MBytes  46.3 Mbits/sec   34            sender
[  5]   0.00-10.00  sec  54.5 MBytes  45.7 Mbits/sec                  receiver

iperf Done.

root@GL-MT6000:~# iperf3 -c 192.168.1.1 -p 5201
Connecting to host 192.168.1.1, port 5201
[  5] local 100.100.2.1 port 34948 connected to 192.168.1.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  6.13 MBytes  51.4 Mbits/sec    1    219 KBytes
[  5]   1.00-2.00   sec  5.65 MBytes  47.4 Mbits/sec    3    126 KBytes
[  5]   2.00-3.00   sec  4.72 MBytes  39.6 Mbits/sec    0    149 KBytes
[  5]   3.00-4.00   sec  5.90 MBytes  49.5 Mbits/sec    0    173 KBytes
[  5]   4.00-5.00   sec  5.90 MBytes  49.5 Mbits/sec    0    194 KBytes
[  5]   5.00-6.00   sec  5.77 MBytes  48.4 Mbits/sec    0    212 KBytes
[  5]   6.00-7.00   sec  5.96 MBytes  50.0 Mbits/sec    1    173 KBytes
[  5]   7.00-8.00   sec  5.96 MBytes  50.0 Mbits/sec    0    198 KBytes
[  5]   8.00-9.00   sec  6.21 MBytes  52.1 Mbits/sec    0    212 KBytes
[  5]   9.00-10.00  sec  5.90 MBytes  49.5 Mbits/sec    2    165 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  58.1 MBytes  48.7 Mbits/sec    7             sender
[  5]   0.00-10.02  sec  57.1 MBytes  47.8 Mbits/sec                  receiver

iperf Done.
root@GL-MT6000:~# iperf3 -c 192.168.1.1 -p 5201 -R
Connecting to host 192.168.1.1, port 5201
Reverse mode, remote host 192.168.1.1 is sending
[  5] local 100.100.2.1 port 40838 connected to 192.168.1.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  9.19 MBytes  77.1 Mbits/sec
[  5]   1.00-2.00   sec  11.8 MBytes  98.6 Mbits/sec
[  5]   2.00-3.00   sec  11.8 MBytes  98.7 Mbits/sec
[  5]   3.00-4.00   sec  10.2 MBytes  85.7 Mbits/sec
[  5]   4.00-5.00   sec  8.33 MBytes  69.9 Mbits/sec
[  5]   5.00-6.00   sec  8.14 MBytes  68.3 Mbits/sec
[  5]   6.00-7.00   sec  8.74 MBytes  73.3 Mbits/sec
[  5]   7.00-8.00   sec  8.21 MBytes  68.9 Mbits/sec
[  5]   8.00-9.00   sec  8.43 MBytes  70.7 Mbits/sec
[  5]   9.00-10.00  sec  7.67 MBytes  64.3 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.02  sec  94.0 MBytes  78.7 Mbits/sec    3             sender
[  5]   0.00-10.00  sec  92.5 MBytes  77.6 Mbits/sec                  receiver

iperf Done.

will.qiu · November 14, 2025, 3:42am

Based on the results:

The MT6000 → BE9300 link shows approximately 45 Mbps.
The BE9300 → MT6000 link shows approximately 85 Mbps.

These rates appear to be within the expected range.

Could you clarify how you measured the lower connection speed during your access?
It may help to deploy iperf3 or OpenSpeed on the LAN device to further test the throughput along this path:

LAN <-> MT6000 <-> Tailscale Tunnel <-> BE9300 <-> LAN

hshah · November 14, 2025, 9:22pm

I regularly upload photos from Site B to Immich running in Docker on a Synology NAS at Site A. I usually access Immich using a subdomain (reverse proxied) via a desktop browser. Anything that needs to be uploaded just gets dragged into the browser window. The broadband at Site B is roughly 500Mbps down and 50Mbps up. Unless images in question are >1MB, the progress bars just flash from 0 to 100.

I've just:

Tried uploading 15 images totalling 11.6MB - took around 5 minutes. Previously it would have been around 5 seconds. Prit took just under 5 minutes. Previously it would have taken ~5 seconds.
Disabled Tailscale on both routers
Tried uploading 132 images totalling 514MB - took around 2 minutes.

Tomorrow I'll re-enable Tailscale and then use iperf3 to test from laptop at Site B to NAS at Site A

hshah · November 16, 2025, 2:54pm

@will.qiu Whilst looking to re-enable and test, I pasted the original post into ChatGPT and it suggested the connection was being relayed. I noticed that the solution it suggested only mentioned LAN Subnet Route - I had both LAN and WAN selected.

I've now re-enabled Tailscale with:

Allow Remote Access WAN = false
Allow Remote Access LAN = true

Everything appears to be working well, with performance being no different to the “before” state - even after removing the rules that I had added.

Feels a little too easy though

will.qiu · November 17, 2025, 6:11am

So, after restarting Tailscale, everything started working again?
It’s possible that Tailscale initially selected an unsuitable DERP server or was unable to establish a direct connection, and the restart resolved the issue.

In any case, it’s good to hear that everything is functioning normally now.

hshah · November 26, 2025, 1:33am

No, I don’t think the issue was resolved by just:

It Crowd Hello It GIFs | Tenor

(“IT” is both my career and passion, so naturally reboots are a last resort activity )

From what I can tell, the issue was down to “Allow Remote Access WAN” being set to “true”. When enabled, the subdomains used for reverse proxying ceased to function. According to ChatGPT, the rules I added in order to resolve the subdomain problem, caused the connection to be relayed.

The issue was resolved by setting “Allow Remote Access WAN” to “false”. With that applied, everything works at the expected speed and doesn’t require any additional rules.