I have two subnet router operating (on Personal Pro) plan. with the expectation that one will be active and the other standby. Both advertise a single route, and there are a half-dozen remote clients which accept that route.
On the LAN where the routers live there are a number of nodes, some of which need to be able to initiate connections to the remote clients, not just receive them. As a consequence. SNAT mode is disabled in the subnet router Tailscale clients, and the machines running those clients advertise the Tailscale subnet route to the rest of the LAN.
Unsurprisingly, this doesn’t work as well as I’d have hoped it would. When a LAN client makes a connection to a remote client, the connection will go out through one of the subnet routers (effectively randomly chosen). If that router is currently the ‘standby’, the return traffic from the remote client won’t come through that router, but the other one, and of course the connection can’t be established. The same situation can arise for connections from the remote clients.
Shutting down one of the subnet routers solves the problem as you’d expect; connections can be initiated in both directions.
I’d like to find a way to resolve this, and I can think of only one possibility (other than sharing the same key between the subnet routers so they can handle each other’s traffic transparently): the Tailscale client could provide a mechanism to indicate whether that node is the current ‘active’ subnet router, so that the rest of the system can take steps to ensure that traffic is routed to it (and not to any other subnet routers).