Ping works, but curl fails

I have two machines connected via Tailscale: a macbook and an AWS NixOS machine called doodoo. I can ping doodoo, no problem:

bash-3.2$ ping doodoo
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=22.497 ms
64 bytes from icmp_seq=1 ttl=64 time=20.566 ms

But I can’t get HTTP requests to go through:

bash-3.2$ curl --max-time 5 doodoo:3001/asdf
curl: (28) Connection timed out after 5002 milliseconds

Following the Tailscale with MagicDNS works with certain ports but times out on others, I double-checked netstat, and indeed traffic should be going through AFAIU:

❯ netstat -nap --inet | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0  *               LISTEN      1546/target/debug/a

I’ve had something like this happen one time in the past. It was a similar issue where I just could not get through at all to a server on my remote machine. I disconnected/connected out of tailscale on my macbook (and possibly also quitting/restarting), and that seemed to fix the issue. I dismissed it then, but I figure I might as well report now that it has reoccurred.

Update: just tried disconnecting/connecting, restarting tailscale on the macbook, and rebooting doodoo with no luck :confused: Oddly enough though SSH still works.

Can you try updating doodoo to 1.4.5? I see it’s 1.4.4 right now. We fixed a connectivity bug in 1.4.5.

I’m on the latest stable NixOS version (20.09.3281.06b11191834 at the time of writing), and it seems the latest version is still 1.4.4. Is there a way to get 1.4.5 from nixpkgs-unstable instead?

Ok, looks like tailscale: 1.4.4 -> 1.4.5 (#114420) · NixOS/nixpkgs@d470cd9 · GitHub just landed. I’m not sure… Does this eventually get backported to 20.09 once hydra passes?

Update: I did a bit of ngrep’ing on doodoo, and it looks as though packets are making it to the VM but not to my server somehow. Here are the results after making a bunch of curl requests externally:

❯ sudo ngrep -d tailscale0 port 3001
interface: tailscale0 (
filter: ( port 3001 ) and (ip || ip6)
20 received, 0 matched

But now I’m stumped… Anyone have any ideas what could be going on here?

Ok, looks like this was some kind of firewall issue. I think I ran a sudo nixos-rebuild switch --upgrade without changing /etc/nixos/configuration.nix at some point and a change in NixOS networking defaults or tailscale version caused this issue. That would explain why it happened “without me doing anything”.

Adding networking.firewall.allowedTCPPorts = [ 3001 ]; did the trick. I have no clue why this config wasn’t necessary before, or what caused this change… but that’s the trick.