search

jsiebens / ionscale

A lightweight implementation of a Tailscale control server
https://jsiebens.github.io/ionscale
BSD 3-Clause "New" or "Revised" License
143 stars 9 forks source link

ACL for 4via6 subnet router CIDR #30

Closed unixfox closed 5 months ago

unixfox commented 5 months ago

Hello, I'm using the 4via6 subnet router functionality like described here: https://tailscale.com/kb/1201/4via6-subnets

I allowed the 4via6 ipv6 CIDR range in my ACL:

"acls": [
    {
      "action": "accept",
      "src": [
        "tag:trusted"
      ],
      "dst": [
        "fd7a:115c:a1e0:b1a::c0a8:100/120:*"
      ]
    },
]

Also advertised the route on the machine. I got the ipv6 subnet using tailscale debug via 1 192.168.1.0/24.

I validated that it works because I made it worked the same way on www.tailscale.com

But unfortunately, it doesn't work with ionscale. I can't reach the ipv6 address.

Here are the logs from tailscaled:

jan 14 23:39:58 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:39:59 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:40:07 pcryzen tailscaled[24447]: magicsock: disco: node [iNgd5] d:d4d20a6e15dcff25 now using 192.168.1.145:41641 mtu=1360 tx=349b97a7133a
jan 14 23:40:07 pcryzen tailscaled[24447]: Accept: TCP{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 > [fd7a:115c:a1e0:b1a::c0a8:101]:80} 80 ok out
jan 14 23:40:12 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=5s
jan 14 23:40:13 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=6s

I'm only being able to reach the ipv6 address when manually defining the host in the ACL policy like this:

"hosts": {
    "myrouter": "fd7a:115c:a1e0:b1a::c0a8:101/128",
  },
"acls": [
    {
      "action": "accept",
      "src": [
        "tag:trusted"
      ],
      "dst": [
        "myrouter:*"
      ]
    },
]

Would it be possible to add the support for this functionality in the ACL? Thank you.

Headscale related issues:

unixfox commented 5 months ago

I can also replicate the issue with any real ipv6 range shared using subnet router (not 4via6):

tailscale set --advertise-routes fd42::/48
$ curl http://[fd42:0:0:6::c64]
jan 15 09:54:55 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=9s
jan 15 09:54:56 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=10s
jan 15 09:54:58 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=12s
jan 15 09:55:02 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=2s
jan 15 09:55:14 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=3s
unixfox commented 5 months ago

Thank you https://github.com/jsiebens/ionscale/pull/31 fixes the issue!

Should I close the issue?