Relay slows local network speeds

Trying to add tailscale to TrueNAS system. Only means at present seems to use an external device as relay, or set up VM in TrueNAS to act as relay. Both work OK for external access, but slow down local network access significantly on GbE. (from 900Mbps with subnet routes disabled, to 100 - 200Mbps with Rpi and VM). Painful for disk intensive apps to SMB shares on NAS
Is there something in configuration of relay node needed (ip forwarding?) to avoid relay processing local access?
Thanks!

To see whether you’re actually going through a relay, run tailscale ping <IP-or-hostname> and see whether it uses a direct connection or a relay.

What do you see?

response to tailscale ping <NAS_ip> is ‘no matching peer’

sorry - had subnet routing disable for iperf testing. now get
pong from homenastsrelay (100.75.3.128) via 192.168.2.149:41641 in 1ms

Yeah, so you’re not going through a Tailscale relay. That traffic is staying within your LAN.

Sorry - not sure how you determined this. Local network is 192.168.2.xxx.
NAS is at 192.168.2.160.
VM (homenastsrelay) is at 192.168.2.149
tailscale ping 192.168.2.160 shows routing through relay
iperf3 tests to 192.168.2.160 drop from 900Mbps to 176 Mbps when I enable subnet routing on homenastsrelay node.
I seem to be missing something here…

I think I misunderstood your point - It is clear that the traffic is staying within the local network, but the overhead of the relay node that is doing the IP forwarding is my concern.

Sorry, I think we’re talking about different relays. 90% of the issues I deal with are people asking about how to avoid the DERP TCP relays by getting port mapping or NAT traversal to work. I thought that was what you’re talking about.

Re-reading this, it sounds like you want Tailscale to disable encryption when it guesses that you’re on the same LAN? It turns out that’s very hard to do securely without being susceptible to MITM attackers forcing a downgrade attack. We continue to think about that ways to do that, but there’s nothing coming short term for that. We also continue to work on performance, though, so hopefully we get to a point where the encryption even on a local LAN isn’t a problem.