I´m using the 1800AX with firmware 4.2.1 and the tailscale feature and my use case works fine, I connect to my exit node at home, see my subnets and can connect to my NAS at home as user of the 1800AX.
But when I´m giving users access to my guest WLAN on the 1800AX and still have tailscale active they can´t connect to the Internet, only when I deactivate it.
Is this a known problem or a workaround available? I´d love to connect via tailscale in my normal WLAN but offer Internet via the guest WLAN of the 1800AX…!
Hi, Lotussteve
Please execuete the following commands and check if it works.Replace “192.168.9.0/24” to your guest IP address and mask if you have changed them.Thanks!
ip rule add from 192.168.9.0/24 table main
ip route del table 55 throw 192.168.9.0/24
Thanks for your commands and sorry for my late answer. I will try them as soon as I´ve got time to make the same setup like on my travels back in June and will report back afterwards!
Sorry, but this only helps by giving the Guest WLAN not only access to the internet but also to my tailscale network, which is not an “intended feature” .
I’ve tried with different lookup rules (“default”, “2”…) but in any setup I either have no Internet access for the Guest WLAN while tailscale is active or they are part of my tailscale network via the Slate.
So the real solution has to be:
Tailscale always active on the Slate.
Internal WLAN (non-guest) has access to Internet AND tailscale network at home.
External WLAN (“Guest”) has ONLY access to Internet.
Would this be achievable via a firewall rule on the Slate?
I’m certainly no expert when it comes to firewall/iptable rules, all the more so since I don’t use Tailscale but if you could post the output of ip a, there should be a way to block a subnet fr accessing (‘dropping’ in iptables parlance) a network interface. I’d like to try adapting a technique used for WireGuard Client to see if it’ll be effective for Tailscale.
Hi,Lotussteve
I have executed the same rule,and my Guest WLAN cannot access to my tailscale network. Please try to ping any device(e.g 100.109.223.25) of your tailscale network from the Guest WLAN,to verify that the Guest WLAN can actually your access tailscale network.
Thanks for your quick reply! I use tailscale at home with an exit node and subnets, so what I tried is that I access an IP in my home WLAN (exposed via the subnet) and was able to reach the IP of my NAS (192.168.x.x, but different from the Slate). I haven´t tried to use the “official” tailnet IPs (100.x.x.x), but will do that to verify.
@bring.fringe18 Thanks for your input, will provide an anonymized output when I have the time to tinker with the 1800AX !
I’ve read about adding the firewall rule:
ip rule add from 192.168.9.0/24 table main
but following the comment from @Lotussteve, this would allow devices on 192.168.9.x to reach devices on 192.168.8.x . I’m a bit hesitated to try this, as I don’t know how to properly remove the rule in case it does not work as expected.
I guess, nobody wants the guest network to access the main network. How could the rule be set up to allow the guest network access to the internet, but not to the main network or Tailscale?
I don’t use tailscale nor guest networks so I can’t test, but I would assume that it should be possible by creating some “deny” rules within the firewall itself. So Guest network TO tailscale DROP should do the trick then.
.