Basic Debugging Question on Subnet Routing

Tailscale version
1.18.2 on Linux (Amazon Linux 2)
1.12.3 on MacOS

I have scanned the forums and found that most people get subnet routing working easily, but I am stuck in a very early stage.

I have an Amazon ec2 tailscale node that I want to advertise the space (including itself at

I have done the following steps on the Amazon ec2 instance that I want to be a subnet router:

  1. sudo tailscale up --advertise-tags=tag:central-infra --authkey=REDACTED --advertise-routes=
  2. ensured that my Amazon instance has net.ipv6.conf.all.forwarding = 1
  3. ensured that my Amazon instance has sysctl net.ipv4.ip_forward = 1
  4. ensured that my Amazon instance does not do “Source / destination check”
  5. accepted the route from the Admin console’s Machine Settings to advertise
  6. set up two processes on this node at ports 9000 and 9999 (nginx and a simple ls -l | nc -l 9999 respectively)
  7. validated that my Mac can reach the Amazon node via the Tailscale IPs ( curl and nc 9999) to make sure I don’t have an ACL blocking me

On my Mac, I have tailscale version 1.12.3. I am in an internal IP of 192.168.etc.
The documentation says Clients on Windows, macOS, iOS, and Android will automatically pick up your new subnet routes.

On my Mac (as written above) I have been able to curl and netcat the Tailscale IP.
But any curl or nc 172.10.182 9999 on the routed IP address just freezes.

I am mostly naieve when it comes to networking and have been a bit in the dark with how to debug at this point. Some basic questions:

  1. Is there any way for me to see from my client tailscale (my Mac laptop) that advertised routes are available to me? Facilely, as this is the limit of my networking knowledge I have run
traceroute to (, 64 hops max, 52 byte packets
 1 (  12.473 ms  2.354 ms  5.470 ms
 2 (  15.111 ms  11.586 ms  12.212 ms

which is the limit of my debugging (pinging just gives me request timeouts)

  1. I have seen some hints at Enable IP forwarding on Linux · Tailscale that I may need to futz around with the firewall (generically, firewall-cmd --permanent --add-masquerade ). If this is something I should pursue, does anyone have a definitive set of commands I can run as I consider iptables a dark art?
  2. I have run various permutations of --snat-subnet-routes=false but feel this is me just trying things arbitrarily.
  3. Are there any other common gotchas with AWS VPCs that might be affecting my ability to see anything?

Thanks for your time,

Sorry, I was wrong about the Linux version. It is 1.18.2, and I made the edit above.

first thing to check is that the subnet route is approved in your admin panel
click the … menu and select Edit Route Settings and authorize the subnet route there.

If you’re still having problems, please run tailscale bugreport from the AWS machine, and email the code to

For people interested in knowing what the issue was, Jay helped me resolve it. I was unaware that the subnets advertised by the subnet router needed to also have a rule in the ACL.

If you’re looking to test (using my example above), then a rule like
{ "action": "accept", "users": ["*"], "ports": ["*",] }
will allow any node to see the route that has been exposed. You can dial it back as per your needs.

1 Like