Anyway to selectively accept routes for --advertise-routes

HighNet · February 12, 2022, 7:05am

Hello,

Scenario: Site to Site VPN test
Site A: two redundant subnet router using tailscale
Site B: two redundant subnet router using tailscale

In the above scenario:
In Site A
We noticed if we use tailscale on servers with separate public and private ethernet ports
and setup as --advertise-routes
and then setup two subnet routers, the subnet router that is not active will route its private traffic to Site A through tailscale and not through the private LAN, although traffic to Site B will work properly

What is needed:
In the above case the subnet router in Site A needs to only accept routes for Site B and not for Site A
In the above case the subnet router in Site B needs to only accept routes for Site A and not for Site B
This would make private traffic on Site A to Site A stay on Site A private network and not route through tailscale
This would make private traffic on Site B to Site B stay on Site B private network and not route through tailscale

Is this possible?
Without this feature tailscale will require dedicated devices for running the subnet routers which is a waste of our resources.

DGentry · February 12, 2022, 7:49am

Adjustment of route priorities is something the product may provide in the future.

For what can be done today: all operating systems currently supported by Tailscale will choose the most specific route. If the local LAN is 10.0.0.0/24, advertising a less specific route using --advertise-routes=10.0.0.0/23, if possible, would make the server in site A use its private network, because it has the most specific route, and not the less specific route through Tailscale.

HighNet · February 13, 2022, 2:16pm

I hope this is fixed as this actually quite problematic in making redundant servers.

We can’t advertise a less specific route, but the same route.
With the same route, the traffic goes over tailscale.
With the same route I would have expected it to go through local networking.

brett · July 23, 2022, 1:15pm

How do I do this? I’m using pfsense which is my gateway so everything is routed via it. I’ve set tailscale to advertise 10.0.0.0/8 so I can access everything on my LAN, but that’s overwriting when working locally. I’m using pfsense I can’t change to /7 because that includes public ip addresses

kzaoaai · July 7, 2023, 2:59am

For linux, you can accept routes, and then add this rule (I use crontab to make it persistent):

Install a rule ahead of the Tailscale rules that uses lookup to jump over them:

ip rule add to 192.168.2.0/24 priority 2500 lookup main

from Troubleshooting guide · Tailscale

Topic		Replies	Views
Am I misunderstanding subnet routing? SUPPORT QUESTIONS	3	961	July 1, 2022
Router to advertise specific machines on same subnets? Tailscale About articles (troubleshooting, info)	1	890	September 3, 2021
Bridge two subnet via subnet routers	4	3915	July 13, 2023
Does advertise-routes work on Synology?	6	7221	July 1, 2021
Not using route Linux	3	2334	January 4, 2022

Anyway to selectively accept routes for --advertise-routes

Related topics