Is Subnet Routers one way?

Tailscale version
1.12.3
Your operating system & version
Raspbian OS

I setup Tailscale on a remote location with subnet routes because I want to be able to manage some ip cameras and it work but now I want this cameras to record to my raspberry NAS and Tailscale installed in a remote location and the cameras are not able to see the NAS using Tailscale ip. Is this even posible or the communication with the devices behind a subnet router is only one way? Just for testing I ping from the pi running Tailscale and acting as a subnet router the NAS and it worked but when I ping the NAS from other machine in the same network as the pi running Tailscale as a subnet router and the cameras nothing happened. Now if I ping the camera and the machine using their local ip from the NAS it worked.

By default the subnet router replaces the Tailscale IP source address 100.x.y.z with its own LAN address. This makes it simpler for the cameras to send a response: the camera thinks it is talking to 10.10.1.1, there on its local LAN. It also means the cameras cannot connect to 100.x.y.z, as they cannot get through NAT.

There is a --snat-subnet-routes=false argument which tells the subnet router to pass the 100.x.y.z addresses onto the local LAN.

HOWEVER: routing on the LAN is outside of Tailscale’s control. The cameras need to know that to reach 100.64.0.0/10 the next hop is 10.10.1.1. If the subnet router is also the default route for the LAN this tends to be simple. If there is a separate Wi-Fi AP as the default route and the subnet router is a separate node, getting a route to 100.64.0.0/10 installed on the cameras will be harder.

1 Like

Useful explanation. Thanks

Do you have any recommendations for that scenario?

I have a device on a remote LAN in country B which is accessible via a subnet router, which is in turn connected via a WiFi AP/broadband router to the internet. I can connect to that device from any of the devices in the Tailscale network. I would like to enable the opposite, that the service behind the subnet router in country B connects to another device in the Tailscale network which is on a different LAN in country A.

Thanks.

Assuming that the cameras have no UI to install IP routes…

If you have a Wi-Fi AP on site, like something running OpenWRT, it should be possible to install a route to 100.64.0.0/10 pointing to the LAN address of the Pi. The Wi-Fi AP probably sets itself as the default route in DHCP responses it sends to the cameras, so they will send 100.64.0.0/10 packets to the AP which can forward them over to the Pi.

If the Wi-Fi AP cannot have routes installed, it gets even harder. I guess the next thing to try would be to disable the DHCP server on the Wi-Fi AP, and set up a DHCP server on the Pi (for example, Pi-Hole contains a DHCP server function).

The Pi would then offer itself as the default route. The cameras would send their packets to the IP address of the Pi, which means the packets would go over the Wi-Fi to the AP which would send them to the Pi.

  • Tailscale IP destinations would be encapsulated into the encrypted tunnel, and then sent back over to the AP to go to the WAN.
  • Anything the cameras send to non-Tailscale addresses would also go to the Pi, and the Pi would need to have routes to send everything else back over to the Wi-Fi AP.

Thanks for the prompt replay and for your patience with my newbie networking knowledge. :wink: I’d like to check my understanding of your static routing suggestion for the AP. With the network set up as shown below, would my assumed routing configuration be correct? The goal is for the camera in LAN B to be able to initiate a connection to the NAS in LAN A (and optionally anything else in LAN A).

If so, what would be the correct tailscale up command be for the subnet relay?

Thanks!

I like the Pi-Hole idea but the cameras are wired. Do you think it can still work?

Thanks

If you’ve set --snat-subnet-routes=false in tailscale up on the subnet router, the AP will need routes added for both 192.168.8.0/24 and for 100.64.0.0/10.

Is it possible to test this on a local instance before trying it on the remote one?

I think the remote subnet router’s tailscale up command would be: tailscale up --advertise-routes=192.168.8.0/24 --snat-subnet-routes=false

You may not actually need to advertise the 192.168.8.0/24 route now, if the cameras will be sending to 100.99.98.97, but it doesn’t hurt to have the subnet route as well.

For this purpose really only the IP addressing matters. The physical link can be Ethernet or Wi-Fi, the Tailscale subnet router only sees the IP addresses.