tailscale / tailscale-qpkg

Package Tailscale client in QPKG
MIT License
457 stars 38 forks source link

QNAP unreacheable by rest of LAN if included in subnet #84

Open Chasethecheese opened 1 year ago

Chasethecheese commented 1 year ago

Tailscape 1.36.1-1 set up on QNAP NAS, Raspberry pi 4 and Android phone. QNAP NAS and Raspberry pi are set up as exit nodes.

Everything works well.

If I now create a subnet on the Raspberry pi for 192.168.1.0/24 the QNAP NAS on IP 192.168.1.63 can only be accessed from a device connected to Tailscape.
It cannot be connected to directly from any other device on the Lan (neither ping, ssh nor http) The Raspberry pi and all other machines on the network can be accessed normally on the lan with or without Tailscape

If I disallow subnet access from the Tailscale Machines page, then QNAP NAS can be accessed normally by LAN machines.

Seems like something in the QNAP NAS Tailscale setup seems to be interfering with access if another Tailscale machine is advertising its local IP address as part of a subroute.

I have also confirmed this on Raspberry 3B+

groenator commented 1 year ago

I am encountering the same issue as well. Today, I installed tailscale on my QNAP, ssh onto my NAS and started the daemon with the following command: sudo ./tailscale --socket=/tmp/tailscale/tailscaled.sock up --accept-routes

The NAS is no longer available via the local network, I have to use the tailscale IP to connect to it. I have another node where I am exporting the local network (192.168.1.0/24) routes.

Is there a way to check the logs of tailscale?

wingcomm commented 1 year ago

This behavior is consistent with how Tailscale operates and not exclusive to QNAP since you are telling the QNAP to route all traffic destined to 192.168.1.0/24 through the exit node. You may want to open this issue on the standard issue tracker.

groenator commented 1 year ago

Thank you, I will open an issue on tailscale.

gzxiexl commented 1 year ago

I also encountered the same problem where I don't know how to set the default parameters. When there are devices in the local area network that have enabled routing notifications, additional policies should be added to avoid conflicts.

andycjw commented 1 year ago

I don't understand why advertising subnet on other tailscale node will cause other machines in the same subnet not able to access the qnap NAS on that exact subnet,

I already set --accept-routes to false on the machine I use to access the NAS, it should be able to access on the same LAN

is the qpkg tailscaled binary is running with accept-routes = true by default?

edit: I ssh into the qnap nas and did the following

./tailscale up --accept-routes=false

and it is working now, but stilll why accept-routes is true while the nas system is basically linux system, while the official documentation says it should be false https://tailscale.com/kb/1072/client-preferences/#use-tailscale-subnets

Xuntar commented 8 months ago

In my case --accept-routes was defaulted to false on the QNAP, but I still have the same issue that I can't connect to its normal IP anymore.