Classification need with Tailscale, remote access, and local access.
-
wrote last edited by [email protected]
I encountered something I don't quite understand, and I was hoping someone could enlighten me.
I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great.
Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn't access it at all. Disconnecting Tailscale on my main PC restored lconnectivity.I don't understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don't have an exit node.
TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?
-
I encountered something I don't quite understand, and I was hoping someone could enlighten me.
I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great.
Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn't access it at all. Disconnecting Tailscale on my main PC restored lconnectivity.I don't understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don't have an exit node.
TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?
How did you set up subnet advertisements on the router, and which subnets? Did you touch the ACL in the tailnet's admin console?
On the home PC, did you accept advertised routes with the Tailscale client?
What happens when you ping a host on the LAN using
tailscale ping ADDR? What happens when you try totracertortracepathto it? -
I encountered something I don't quite understand, and I was hoping someone could enlighten me.
I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great.
Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn't access it at all. Disconnecting Tailscale on my main PC restored lconnectivity.I don't understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don't have an exit node.
TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?
Your default routes are being set incorrectly. If you're using it as an exit node, then you need to make sure it's only being used as such for other clients on the Tailnet. You also need to make sure you're splitting your routes correctly so that the default route on your router isn't set for something on the Tailnet.
Generally speaking, if you're not familiar with networking and routing, you don't need to change the subnet settings if using a Tailscale client on your router. You also shouldn't be advertising routes from it for your own network, or else you could end up getting issues like you're seeing because your routing tables will be broken while Tailscale is active.
One more thing: Tailscale on your router doesn't make it a server, it's still a Tailscale client. You still need to setup your routing in the Tailscale server to make sure it's not duplicating routes like this.
-
I encountered something I don't quite understand, and I was hoping someone could enlighten me.
I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great.
Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn't access it at all. Disconnecting Tailscale on my main PC restored lconnectivity.I don't understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don't have an exit node.
TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?
Just throwing this out there: Are you using a separate VPN for your PC? For instance, my PC has a commercial VPN and Tailscale. Talescale connects me to the remote server for ssh/sftp etc, while my VPN connects to everything else. I had to do some tinkering to get them to both work simultaneously. Without the tinkering, Tailscale would not connect to the server.
If you are just using Tailscale with no other VPN then disregard this, and take the advice form others here.
-
How did you set up subnet advertisements on the router, and which subnets? Did you touch the ACL in the tailnet's admin console?
On the home PC, did you accept advertised routes with the Tailscale client?
What happens when you ping a host on the LAN using
tailscale ping ADDR? What happens when you try totracertortracepathto it?I set up subnet advertisements by doing
tailscale set --advertise-routes=192.168.1.0/24. I did not touch ACL.The home PC is Windows, the context menu for the tray app give the option to 'use tailscale subnets' which is enabled- I assume this is the equivalent of accepting advertised routes.
From the home PC, tailscale ping 192.168.1.2 returns a pong, from the tailscale IP. tracert fails.
-
Just throwing this out there: Are you using a separate VPN for your PC? For instance, my PC has a commercial VPN and Tailscale. Talescale connects me to the remote server for ssh/sftp etc, while my VPN connects to everything else. I had to do some tinkering to get them to both work simultaneously. Without the tinkering, Tailscale would not connect to the server.
If you are just using Tailscale with no other VPN then disregard this, and take the advice form others here.
I have a commercial VPN, but I am not connected. What tinkering did you have to do?
-
Your default routes are being set incorrectly. If you're using it as an exit node, then you need to make sure it's only being used as such for other clients on the Tailnet. You also need to make sure you're splitting your routes correctly so that the default route on your router isn't set for something on the Tailnet.
Generally speaking, if you're not familiar with networking and routing, you don't need to change the subnet settings if using a Tailscale client on your router. You also shouldn't be advertising routes from it for your own network, or else you could end up getting issues like you're seeing because your routing tables will be broken while Tailscale is active.
One more thing: Tailscale on your router doesn't make it a server, it's still a Tailscale client. You still need to setup your routing in the Tailscale server to make sure it's not duplicating routes like this.
I kind of follow what you're putting down.
I am not using an exit node. How do I go about splitting my routes?
What I want to achieve is 'normal' access for within the lan, as well as remote access over tailscale for things I cannot run tailscale on.
-
I kind of follow what you're putting down.
I am not using an exit node. How do I go about splitting my routes?
What I want to achieve is 'normal' access for within the lan, as well as remote access over tailscale for things I cannot run tailscale on.
Tailscale is a group of clients on a Tailnet which are all equal, unless you tell it otherwise. That means you need to set the client you installed on your router as a subnet router.
Even then, if you're not familiar with networking, you'll probably have duplicate routes if you're not paying attention. The other option is to just install Tailscale on each server you want access to.
-
Tailscale is a group of clients on a Tailnet which are all equal, unless you tell it otherwise. That means you need to set the client you installed on your router as a subnet router.
Even then, if you're not familiar with networking, you'll probably have duplicate routes if you're not paying attention. The other option is to just install Tailscale on each server you want access to.
The router is set as a subnet router, that is how I am able to access other machines on my lan remotely.
I don't want to, and sometimes can't, install tailscale on every device I want remote access to.
So I may have duplicate routes- Does that explain the behaviour in my original post? And how would I go about avoiding that?
I could turn off subnet routing, and only turn it on when needed, but I'll be putting up a bunch of other services that will want to talk to each other- I'm assuming this will break whenever I turn subnet routing on.
-
The router is set as a subnet router, that is how I am able to access other machines on my lan remotely.
I don't want to, and sometimes can't, install tailscale on every device I want remote access to.
So I may have duplicate routes- Does that explain the behaviour in my original post? And how would I go about avoiding that?
I could turn off subnet routing, and only turn it on when needed, but I'll be putting up a bunch of other services that will want to talk to each other- I'm assuming this will break whenever I turn subnet routing on.
Yes, if Tailscale on your router is advertising routes, and your other devices while connected to Tailscale are picking up those advertised routes, they won't be able to figure out how to get to your local network devices if both things are advertising the same routes.
-
I set up subnet advertisements by doing
tailscale set --advertise-routes=192.168.1.0/24. I did not touch ACL.The home PC is Windows, the context menu for the tray app give the option to 'use tailscale subnets' which is enabled- I assume this is the equivalent of accepting advertised routes.
From the home PC, tailscale ping 192.168.1.2 returns a pong, from the tailscale IP. tracert fails.
That's unfortunate, I have no idea how Tailscale does routing on Windows. Try running the client without accepting any subnet advertisements.
I've also found this: https://tailscale.com/kb/1023/troubleshooting#lan-traffic-prioritization-with-overlapping-subnet-routes The solution might be to advertise a larger subnet (e.g. 192.168.1.0/23) to make the route advertisements on the tailnet less specific than on the LAN. Advertising a larger subnet won't cause any additional issues because it's in a private IP range.
-
I encountered something I don't quite understand, and I was hoping someone could enlighten me.
I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great.
Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn't access it at all. Disconnecting Tailscale on my main PC restored lconnectivity.I don't understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don't have an exit node.
TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?
I think you might also make your tailscale on router an exit node. I remember when I was setting things up for me I had issue like yours, but on the phone. Everything was working when I used data, but when I connected to my local wifi it didn't see the stuff on subnet ip's. Setting it as exit node helped. Also make sure everything is approved in your tailscale admin.
-
The router is set as a subnet router, that is how I am able to access other machines on my lan remotely.
I don't want to, and sometimes can't, install tailscale on every device I want remote access to.
So I may have duplicate routes- Does that explain the behaviour in my original post? And how would I go about avoiding that?
I could turn off subnet routing, and only turn it on when needed, but I'll be putting up a bunch of other services that will want to talk to each other- I'm assuming this will break whenever I turn subnet routing on.
Just verifying, after enabling subnet routing, did you create the routes (it's in the docs for subnet router).
I have the same problem you do - for some reason TS will "steal" the route, even when correctly configured.
