Ping works, but curl fails

skainswo · February 25, 2021, 6:51am

I have two machines connected via Tailscale: a macbook and an AWS NixOS machine called doodoo. I can ping doodoo, no problem:

bash-3.2$ ping doodoo
PING doodoo.skainsworth.gmail.com.beta.tailscale.net (100.118.228.49): 56 data bytes
64 bytes from 100.118.228.49: icmp_seq=0 ttl=64 time=22.497 ms
64 bytes from 100.118.228.49: icmp_seq=1 ttl=64 time=20.566 ms

But I can’t get HTTP requests to go through:

bash-3.2$ curl --max-time 5 doodoo:3001/asdf
curl: (28) Connection timed out after 5002 milliseconds

Following the Tailscale with MagicDNS works with certain ports but times out on others, I double-checked netstat, and indeed traffic should be going through AFAIU:

❯ netstat -nap --inet | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:3001            0.0.0.0:*               LISTEN      1546/target/debug/a
...

I’ve had something like this happen one time in the past. It was a similar issue where I just could not get through at all to a server on my remote machine. I disconnected/connected out of tailscale on my macbook (and possibly also quitting/restarting), and that seemed to fix the issue. I dismissed it then, but I figure I might as well report now that it has reoccurred.

Update: just tried disconnecting/connecting, restarting tailscale on the macbook, and rebooting doodoo with no luck Oddly enough though SSH still works.

bradfitz · February 25, 2021, 4:48pm

Can you try updating doodoo to 1.4.5? I see it’s 1.4.4 right now. We fixed a connectivity bug in 1.4.5.

skainswo · February 25, 2021, 10:28pm

I’m on the latest stable NixOS version (20.09.3281.06b11191834 at the time of writing), and it seems the latest version is still 1.4.4. Is there a way to get 1.4.5 from nixpkgs-unstable instead?

skainswo · February 25, 2021, 11:30pm

Ok, looks like tailscale: 1.4.4 -> 1.4.5 (#114420) · NixOS/nixpkgs@d470cd9 · GitHub just landed. I’m not sure… Does this eventually get backported to 20.09 once hydra passes?

skainswo · February 27, 2021, 10:06am

Update: I did a bit of ngrep’ing on doodoo, and it looks as though packets are making it to the VM but not to my server somehow. Here are the results after making a bunch of curl requests externally:

❯ sudo ngrep -d tailscale0 port 3001
interface: tailscale0 (100.118.228.49/255.255.255.255)
filter: ( port 3001 ) and (ip || ip6)
####################
^Cexit
20 received, 0 matched

But now I’m stumped… Anyone have any ideas what could be going on here?

skainswo · February 28, 2021, 4:40am

Ok, looks like this was some kind of firewall issue. I think I ran a sudo nixos-rebuild switch --upgrade without changing /etc/nixos/configuration.nix at some point and a change in NixOS networking defaults or tailscale version caused this issue. That would explain why it happened “without me doing anything”.

Adding networking.firewall.allowedTCPPorts = [ 3001 ]; did the trick. I have no clue why this config wasn’t necessary before, or what caused this change… but that’s the trick.

Topic		Replies	Views
Unable to ping or ssh into machine SUPPORT QUESTIONS	2	2678	June 7, 2022
Connection problems with macOS machine on tailscale network SUPPORT QUESTIONS	8	1862	April 12, 2022
One of my computers won't connect SUPPORT QUESTIONS	2	1063	December 20, 2022
Difficulty with iOS tailscale client iOS	0	874	August 21, 2022
Access via Tailscale GCE VM Not Working SUPPORT QUESTIONS	0	192	February 10, 2023

Ping works, but curl fails

Related Topics