Scenario: Site to Site VPN test
Site A: two redundant subnet router using tailscale
Site B: two redundant subnet router using tailscale
In the above scenario:
In Site A
We noticed if we use tailscale on servers with separate public and private ethernet ports
and setup as --advertise-routes
and then setup two subnet routers, the subnet router that is not active will route its private traffic to Site A through tailscale and not through the private LAN, although traffic to Site B will work properly
What is needed:
In the above case the subnet router in Site A needs to only accept routes for Site B and not for Site A
In the above case the subnet router in Site B needs to only accept routes for Site A and not for Site B
This would make private traffic on Site A to Site A stay on Site A private network and not route through tailscale
This would make private traffic on Site B to Site B stay on Site B private network and not route through tailscale
Is this possible?
Without this feature tailscale will require dedicated devices for running the subnet routers which is a waste of our resources.
Adjustment of route priorities is something the product may provide in the future.
For what can be done today: all operating systems currently supported by Tailscale will choose the most specific route. If the local LAN is 10.0.0.0/24, advertising a less specific route using --advertise-routes=10.0.0.0/23, if possible, would make the server in site A use its private network, because it has the most specific route, and not the less specific route through Tailscale.
I hope this is fixed as this actually quite problematic in making redundant servers.
We can’t advertise a less specific route, but the same route.
With the same route, the traffic goes over tailscale.
With the same route I would have expected it to go through local networking.
How do I do this? I’m using pfsense which is my gateway so everything is routed via it. I’ve set tailscale to advertise 10.0.0.0/8 so I can access everything on my LAN, but that’s overwriting when working locally. I’m using pfsense I can’t change to /7 because that includes public ip addresses