Limit the network interfaces that are sent as endpoints for a device?

Tailscale user: Is it possible to limit the network interfaces that are sent as endpoints for a device? I happened on this by a bit of an accident, but noticed that my Windows devices have their internal Docker IPs published as endpoints.

Longer story is that I’m working on a new network setup with segregated VLANs. My plan is to have a Linux VM with multiple interfaces running tailscale and exposing the subnets I’d like to access externally. I need to dig a bit more, but I noticed 172.16.0.0/16 IPs getting blocked in the firewall logs once my Windows machine running Docker was connected to the same tailscale network. It looks like tailscaled started pinging these addresses and since I’m blocking RFC1918 address outside the VLAN they are getting denied and logged. Eventually tailscaled reports the pong’s timing out. It doesn’t seem to impact functionality, but my initial ideal approach would be keeping my Windows machine from announcing the internal Docker interface addresses to the tailscale network as I don’t see it being necessary… but I might be missing something.

-C

Tailscale support: Some background on why it does this is at:

In short: you announce everything that might work, and clients try everything that’s announced, then pick the best (fastest) thing that works.

By removing Docker addresses (which you’d either have to manually configure or write heuristics for), you then preclude things running in Docker from finding its best path.

If it’s causing a real problem then we might consider doing something but if you’re just getting pong timeout log entries, that’s normal and expected.

Tailscale user: thanks for the pointer! Looks like I’ve got some reading to do. -C

Is there any way to do this? I am running Nebula and Tailscale concurrently, and Tailscale is sending traffic over the Nebula connection. I was able to stop Nebula from sending traffic over Tailscale with this:

local_allow_list:
  interfaces:
    tailscale0: false

I would like to stop Tailscale from advertising my nebula1 interfaces as endpoints in a similar way.

We don’t have a way to do this right now. Or at least not easily.

I filed Provide mechanism for users to exclude interfaces from disco + endpoint advertisements · Issue #1552 · tailscale/tailscale · GitHub to track that.