Routing traffic from LAN to Tailscale not working

[Toomblr]

Problem/Motivation

Tailscale addon not routing traffic from LAN to Tailscale

Expected behavior

Since my tailscale on HASS is acting as a subnetrouter, it's routing traffic from Tailscale to my LAN, the other way around should also be possible.

Actual behavior

traceroute 100.84.130.100 traceroute to 100.84.130.100 (100.84.130.100), 64 hops max, 40 byte packets 1 192.168.178.1 (192.168.178.1) 5.353 ms 2.572 ms 2.309 ms 2 192.168.178.3 (192.168.178.3) 4.191 ms 2.893 ms 3.061 ms 3 *

Steps to reproduce

I configured my hass-tailscale-addon as follows:

advertise_exit_node: true
accept_routes: true
accept_dns: true
userspace_networking: false
snat_subnet_routes: false
advertise_routes:
  - 192.168.178.0/24

I created a static route on my firewall for destination: 100.0.0.0/10 to 192.168.178.3 (my HASS IP)

When I ping 100.84.130.100 (IP from another client in my Tailscale) from HASS I get a instant connection. When I ping / traceroute that same IP from any other device without Tailscale installed it hangs at 192.168.178.3. (see above for the traceroute)

Proposed changes

N/A

[lmagyar]

This should work, tested several times.

Do you really need snat_subnet_routes: false? This requires much more config everywhere. To access other TS devices, or other subnet devices behind other TS devices, from your LAN, you don't need this. With snat_subnet_routes: true it just works.

If you really want full blown site-to-site networking (ie. using snat_subnet_routes: false), please follow steps from step 3 on Site-to-site networking? - Yeah DOCS.md says steps 2-3, TS changed the docs, DOCS.md will be updated.

[Toomblr]

I changed snat_subnet_routes to true. Sadly this doesn't make a change:

ping 100.84.130.100
PING 100.84.130.100 (100.84.130.100): 56 data bytes
Request timeout for icmp_seq 0
92 bytes from 192.168.178.1: Redirect Host(New addr: 192.168.178.3)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 da1e   0 0000  3f  01 4795 192.168.178.148  100.84.130.100

traceroute 100.84.130.100
traceroute to 100.84.130.100 (100.84.130.100), 64 hops max, 40 byte packets
 1  192.168.178.1 (192.168.178.1)  6.683 ms  2.521 ms  2.538 ms
 2  192.168.178.3 (192.168.178.3)  2.686 ms  3.289 ms  2.992 ms
 3  * * *

[lmagyar]

OK, questions:

• what is your installation type?
• did you enable subnet routing on the admin site for the source lan also?

Because it seems that either the OS is missing some feature (forwarding) or the routing is not configured beetween 192.168.178.3 and tailscale0. Test it first:

• with snat_...: true, and
• without your firewall/router, ie. modify the local route table on the source lan device that it sends packages for 100.x.x.x directly to 192.168.178.3. This way you must be able to access from your source lan any tailscale device.
• then add the other/destination subnet to the routing on your local/source lan device that it send packages for the other lan (not 192.168.178.x) to 192.168.178.3. This way you must be able to access any other subnet.

This must work. If it doesn't work, it is a config error or a TS bug/breaking change. When it works, you can experiment with snat_...: false and firewalls/routers, this is plain old network config from here.

[Toomblr]

Thanks @lmagyar

• what is your installation type?

  HASS OS running in VM with TrueNAS SCALE as hypervisor

• did you enable subnet routing on the admin site for the source lan also?

  Yes

After a lot of troubleshooting and trial & error I tried spinning up a Ubuntu VM and installed TS with the same properties as I had in my TS addon on HASS. Edited the static route so it pointed to that Ubuntu VM, still same results as described above.

I ended up adding a NAT rule to the iptables configuration in the Ubuntu VM for traffic to from 192.168.178.0/24 to interface tailscale0.

I guess the last part was not configured / is not configurable in HASS OS.

[lmagyar]

So you edited the static routes on the non-TS lan devices. What was snat... (true or false) when you had to add the additional rule for tailscale0? Ie. this extra rule is needed for both snat...: false and true, or only for false?

[Toomblr]

So you edited the static routes on the non-TS lan devices. What was snat... (true or false) when you had to add the additional rule for tailscale0? Ie. this extra rule is needed for both snat...: false and true, or only for false?

No. I made an NAT-rule on the tailscale enabled device (the Ubuntu VM). Static route is still created to that Ubuntu VM is still at my router/Unifi gateway. I didn't provide any snat_ flag, and default is true.

[lmagyar]

Strange. I will repeat my tests (site-to-site with snat=true) in the next weeks, I need some time, my physical test env. is currently used for other stuff. :/

[maxenceleduc92]

Hi, I've been having the same issue here. According to tailscale's subnet router quick guide, were's supposed to execute the following commands:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

However, it doesn't seem to work on HASS OS. I get the following error:

[core-ssh ~]$ sysctl -p /etc/sysctl.d/99-tailscale.conf
sysctl: error setting key 'net.ipv4.ip_forward': Read-only file system
sysctl: error setting key 'net.ipv6.conf.all.forwarding': Read-only file system

[lmagyar]

Please read the docs, it says "follow steps from step 3", because what you want to configure, is already set.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!