Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Routing traffic from LAN to Tailscale not working #415

Open
Toomblr opened this issue Oct 14, 2024 · 11 comments
Open

Routing traffic from LAN to Tailscale not working #415

Toomblr opened this issue Oct 14, 2024 · 11 comments

Comments

@Toomblr
Copy link

Toomblr commented Oct 14, 2024

Problem/Motivation

Tailscale addon not routing traffic from LAN to Tailscale

Expected behavior

Since my tailscale on HASS is acting as a subnetrouter, it's routing traffic from Tailscale to my LAN, the other way around should also be possible.

Actual behavior

traceroute 100.84.130.100
traceroute to 100.84.130.100 (100.84.130.100), 64 hops max, 40 byte packets
1 192.168.178.1 (192.168.178.1) 5.353 ms 2.572 ms 2.309 ms
2 192.168.178.3 (192.168.178.3) 4.191 ms 2.893 ms 3.061 ms
3 * * *

Steps to reproduce

I configured my hass-tailscale-addon as follows:

advertise_exit_node: true
accept_routes: true
accept_dns: true
userspace_networking: false
snat_subnet_routes: false
advertise_routes:
  - 192.168.178.0/24

I created a static route on my firewall for destination: 100.0.0.0/10 to 192.168.178.3 (my HASS IP)

When I ping 100.84.130.100 (IP from another client in my Tailscale) from HASS I get a instant connection. When I ping / traceroute that same IP from any other device without Tailscale installed it hangs at 192.168.178.3. (see above for the traceroute)

Proposed changes

N/A

@lmagyar
Copy link
Contributor

lmagyar commented Oct 14, 2024

This should work, tested several times.

Do you really need snat_subnet_routes: false? This requires much more config everywhere. To access other TS devices, or other subnet devices behind other TS devices, from your LAN, you don't need this. With snat_subnet_routes: true it just works.

If you really want full blown site-to-site networking (ie. using snat_subnet_routes: false), please follow steps from step 3 on Site-to-site networking? - Yeah DOCS.md says steps 2-3, TS changed the docs, DOCS.md will be updated.

@Toomblr
Copy link
Author

Toomblr commented Oct 15, 2024

I changed snat_subnet_routes to true. Sadly this doesn't make a change:

ping 100.84.130.100
PING 100.84.130.100 (100.84.130.100): 56 data bytes
Request timeout for icmp_seq 0
92 bytes from 192.168.178.1: Redirect Host(New addr: 192.168.178.3)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 da1e   0 0000  3f  01 4795 192.168.178.148  100.84.130.100
traceroute 100.84.130.100
traceroute to 100.84.130.100 (100.84.130.100), 64 hops max, 40 byte packets
 1  192.168.178.1 (192.168.178.1)  6.683 ms  2.521 ms  2.538 ms
 2  192.168.178.3 (192.168.178.3)  2.686 ms  3.289 ms  2.992 ms
 3  * * *

@lmagyar
Copy link
Contributor

lmagyar commented Oct 15, 2024

OK, questions:

  • what is your installation type?
  • did you enable subnet routing on the admin site for the source lan also?

Because it seems that either the OS is missing some feature (forwarding) or the routing is not configured beetween 192.168.178.3 and tailscale0. Test it first:

  • with snat_...: true, and
  • without your firewall/router, ie. modify the local route table on the source lan device that it sends packages for 100.x.x.x directly to 192.168.178.3. This way you must be able to access from your source lan any tailscale device.
  • then add the other/destination subnet to the routing on your local/source lan device that it send packages for the other lan (not 192.168.178.x) to 192.168.178.3. This way you must be able to access any other subnet.

This must work. If it doesn't work, it is a config error or a TS bug/breaking change. When it works, you can experiment with snat_...: false and firewalls/routers, this is plain old network config from here.

@Toomblr
Copy link
Author

Toomblr commented Oct 16, 2024

Thanks @lmagyar

  • what is your installation type?

HASS OS running in VM with TrueNAS SCALE as hypervisor

  • did you enable subnet routing on the admin site for the source lan also?

Yes

After a lot of troubleshooting and trial & error I tried spinning up a Ubuntu VM and installed TS with the same properties as I had in my TS addon on HASS. Edited the static route so it pointed to that Ubuntu VM, still same results as described above.

I ended up adding a NAT rule to the iptables configuration in the Ubuntu VM for traffic to from 192.168.178.0/24 to interface tailscale0.

I guess the last part was not configured / is not configurable in HASS OS.

@lmagyar
Copy link
Contributor

lmagyar commented Oct 17, 2024

So you edited the static routes on the non-TS lan devices. What was snat_... (true or false) when you had to add the additional rule for tailscale0? Ie. this extra rule is needed for both snat_...: false and true, or only for false?

@Toomblr
Copy link
Author

Toomblr commented Oct 18, 2024

So you edited the static routes on the non-TS lan devices. What was snat_... (true or false) when you had to add the additional rule for tailscale0? Ie. this extra rule is needed for both snat_...: false and true, or only for false?

No. I made an NAT-rule on the tailscale enabled device (the Ubuntu VM). Static route is still created to that Ubuntu VM is still at my router/Unifi gateway.
I didn't provide any snat_ flag, and default is true.

@lmagyar
Copy link
Contributor

lmagyar commented Oct 19, 2024

Strange. I will repeat my tests (site-to-site with snat=true) in the next weeks, I need some time, my physical test env. is currently used for other stuff. :/

@maxenceleduc92
Copy link

maxenceleduc92 commented Oct 29, 2024

Hi,
I've been having the same issue here.
According to tailscale's subnet router quick guide, were's supposed to execute the following commands:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

However, it doesn't seem to work on HASS OS. I get the following error:

[core-ssh ~]$ sysctl -p /etc/sysctl.d/99-tailscale.conf
sysctl: error setting key 'net.ipv4.ip_forward': Read-only file system
sysctl: error setting key 'net.ipv6.conf.all.forwarding': Read-only file system

@lmagyar
Copy link
Contributor

lmagyar commented Oct 29, 2024

Please read the docs, it says "follow steps from step 3", because what you want to configure, is already set.

Copy link

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues.
Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

@github-actions github-actions bot added the stale There has not been activity on this issue or PR for quite some time. label Nov 29, 2024
@Toomblr
Copy link
Author

Toomblr commented Dec 4, 2024

Routing traffic back into Tailscale still doesnt work with the Tailscall Hass container

@github-actions github-actions bot removed the stale There has not been activity on this issue or PR for quite some time. label Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants