Closed stevefan1999-personal closed 3 years ago
bradfitz
commented
3 years ago We saw this error string show up recently here: https://github.com/tailscale/tailscale/issues/1167#issuecomment-764320568
Not sure whether it's related.
/cc @danderson @josharian
unixfox
commented
3 years ago I've the same exact setup as @stevefan1999-personal, and unfortunately I'm unable to make it work because tailscale block every request:
Feb 15 11:39:03 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address from [nbS3E]
Feb 15 11:39:04 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address x.x.x.x from &[157 180 183 19 16 57 115 252 177 37 93 63 225 142 78 201 182 136 92 1 176 47 52 237 60 79 163 246 232 181 158 47]
Feb 15 11:39:04 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address from [nbS3E]
Feb 15 11:39:04 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address x.x.x.x from &[157 180 183 19 16 57 115 252 177 37 93 63 225 142 78 201 182 136 92 1 176 47 52 237 60 79 163 246 232 181 158 47]
Feb 15 11:39:06 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address from [nbS3E]
Feb 15 11:39:06 tailscale1 tailscaled[563]: [RATE LIMITED] format string "%s" (example: "IPv4 packet with disallowed source address x.x.x.x from &[157 180 183 19 16 57 115 252 177 37 93 63 225 142 78 201 182 136 92 1 176 47 52 237 60 79 163 246 232 181 158 47]")
Feb 15 11:39:09 tailscale1 tailscaled[563]: IPv4 packet with disallowed source address from [nbS3E]
Feb 15 11:39:09 tailscale1 tailscaled[563]: [RATE LIMITED] format string "%s" (example: "IPv4 packet with disallowed source address x.x.x.x from &[157 180 183 19 16 57 115 252 177 37 93 63 225 142 78 201 182 136 92 1 176 47 52 237 60 79 163 246 232 181 158 47]")The network is a subnet inside a tunnel VXLAN created by flannel.
Is there a command for deactivate this source address check or a config in the web interface?
apenwarr
commented
3 years ago I think this issue may be obsolete or result of a user misconfiguration.
@stevefan1999-personal, if you can explain more clearly exactly which subnets you're advertising from where, and what your network topology looks like, we might be able to help more.
Is your feature request related to a problem? Please describe.
I cannot connect to a machine within an advertised subnet. E.g. I can connect to 10.0.0.4 but not 10.0.0.5, this is because WireGuard doesn't expect this route to be within the acceptable range of IP source to prevent spoofing:
Describe the solution you'd like If advertising subnet feature is enabled, then also let WireGuard to accept source from advertised members if detected it is overlapping within. E.g. if the advertiser say like 10.0.0.4 saw one of node in the Tailscale network can be reachable via 10.0.0.5, then for that node we also allow source address packet routing too.
Describe alternatives you've considered Just use Tailscale assigned IP, it still routes fine.
Additional context I ran a highly sophisticated network via Tailscale and I'd like to "flatten" them, because communication traffic for some set of nodes, i.e. partitions from various cloud service providers, their communication cost within LAN are free. (Fun fact: so basically the network universe will be a strongly connected component like Kilo)
I made sure all node partitions are going to have their own unique subnet so that there will be no ARP conflict after "route flattening". However, when I configured my k3s cluster with route advertisement enabled, I can only connect to the advertiser solely, for every node within the universe, even the member within the same partition can't connect to each other via LAN IP too.
It was not until further analysis to see that the route is source-rejected, that it otherwise should have had worked out of the box.