I have a private IPv4-only network of machines/VMs/containers using 100.100.0.0/20. Thinking I'd try tailscale, I installed it and immediately lost remote access to the machine. Only after quite a bit of effort debugging and finally getting on a direct console, I was able to find that tailscale had added a DROP over the entire CGNAT space (100.64.0.0/10).
In further investigation I found that tailscale has multiple bugs open about supporting CGNAT better, but nowhere did I see any warnings or information about how this DROP rule could basically brick a machine.
I would suggest until tailscale can support networks running on CGNAT addresses, it should simply refuse to install or start, and definitely do NOT blindly add this DROP rule.
Steps to reproduce
On a 100.100.0.0/20 network, SSH from, say 100.100.0.1 to 100.100.0.2. Install tailscale. Lose all network access to 100.100.0.2 from anywhere. Recover using some non-network-based direct console.
Are there any recent changes that introduced the issue?
Sadly, it seems bugs have been open about CGNAT networks not being supported for at least 3 years. The only thing that happened is that I tried tailscale on such a network, unsuspecting that it would cause these kinds of problems.
I've recently hit this same issue from the house of friend who has the same ISP I do, all the traffic from her place is reaching my place on the CGNAT range, even when both have a perfectly valid external IP.
What is the issue?
I have a private IPv4-only network of machines/VMs/containers using 100.100.0.0/20. Thinking I'd try tailscale, I installed it and immediately lost remote access to the machine. Only after quite a bit of effort debugging and finally getting on a direct console, I was able to find that tailscale had added a DROP over the entire CGNAT space (100.64.0.0/10).
In further investigation I found that tailscale has multiple bugs open about supporting CGNAT better, but nowhere did I see any warnings or information about how this DROP rule could basically brick a machine.
I would suggest until tailscale can support networks running on CGNAT addresses, it should simply refuse to install or start, and definitely do NOT blindly add this DROP rule.
Steps to reproduce
On a 100.100.0.0/20 network, SSH from, say 100.100.0.1 to 100.100.0.2. Install tailscale. Lose all network access to 100.100.0.2 from anywhere. Recover using some non-network-based direct console.
Are there any recent changes that introduced the issue?
Sadly, it seems bugs have been open about CGNAT networks not being supported for at least 3 years. The only thing that happened is that I tried tailscale on such a network, unsuspecting that it would cause these kinds of problems.
OS
Linux
OS version
No response
Tailscale version
No response
Other software
No response
Bug report
No response