I have a machine called “macmini” that has subnet & exit node enabled. macmini sits in the office behind a fortigate router.
I have a home machine called t14, and I have --accept-routes enabled
When I first set it up, it works perfectly and it seems to go through lhr relay. But after a while it switch to direct connect and then the connection doesn’t work. Running tailscale ping from t14 shows:
pong from macmini (100.65.126.31) via DERP(lhr) in 27ms pong from macmini (100.65.126.31) via DERP(lhr) in 126ms pong from macmini (100.65.126.31) via DERP(lhr) in 12ms pong from macmini (100.65.126.31) via DERP(lhr) in 276ms pong from macmini (100.65.126.31) via 220.127.116.11:41641 in 20ms
after it’s connected via our office public ip 18.104.22.168, tailscale ping returns ok, but ssh or any other connection just won’t work.
our office uses a Fortigate router. the default policy is allow all outgoing: (first line)
I thought this should be enough after reading the “How NAT traversal works”: How NAT traversal works · Tailscale
I tried adding the allow incoming UDP 41641 on the router, then restart tailscaled, then direct connection starting to work. see second line in the above image
Question: is this what I’m supposed to do? Surely fortigate is the stateful firewall that’ll be able to allow outgoing to remember incoming?
And how did tailscale decide to go for direct connection instead of lhr relay? Obviously the relay works but direct doesn’t?
Actually I noticed after a while (not sure how long) tailscale seems to realised the direct didn’t work and reverted back to relay? I couldn’t stably reproduce this.