Site 2 site subnet router weird problem

Hi,

I setup S2S using this guide: Site-to-site networking · Tailscale. It works perfectly, after I setup next-hop on the router pointing to node’s IP address. Any device on my network can access remote site devices. I just have a little problem, because on nodes itself I can’t ping/access remote site devices…

Random device on my network (on router I have 192.168.2.0/24, next hop 192.168.1.54 (node’s IP):

@Adrian-MacBook-Pro ~ % traceroute 192.168.2.51
traceroute to 192.168.2.51 (192.168.2.51), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  2.754 ms  3.295 ms  3.433 ms
 2  192.168.1.54 (192.168.1.54)  2.000 ms  1.910 ms  1.986 ms
 3  100.xxx.xxx.98 (100.xxx.xxx.98)  27.325 ms  30.026 ms  28.205 ms
 4  192.168.2.51 (192.168.2.51)  34.816 ms  31.974 ms  33.304 ms

Perfect, it is working.

On the node:

@ubuntu:~$ ip route show table 52
100.xx.xx.3 dev tailscale0 
100.100.100.100 dev tailscale0 
100.101.102.103 dev tailscale0 
100.xx.xx.6 dev tailscale0 
100.xx.xx.98 dev tailscale0 
192.168.2.0/24 dev tailscale0 

@ubuntu:~$ ping 192.168.2.100 #remote node
PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.
64 bytes from 192.168.2.100: icmp_seq=2 ttl=64 time=40.2 ms
64 bytes from 192.168.2.100: icmp_seq=4 ttl=64 time=25.5 ms
64 bytes from 192.168.2.100: icmp_seq=5 ttl=64 time=25.8 ms
^C
--- 192.168.2.100 ping statistics ---
5 packets transmitted, 3 received, 40% packet loss, time 4023ms
rtt min/avg/max/mdev = 25.515/30.477/40.164/6.849 ms

@ubuntu:~$ ping 192.168.2.51 #random device on remote network
PING 192.168.2.51 (192.168.2.51) 56(84) bytes of data.
^C
--- 192.168.2.51 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8191ms

@ubuntu:~$ traceroute 192.168.2.100
traceroute to 192.168.2.100 (192.168.2.100), 30 hops max, 60 byte packets
 1  192.168.2.100 (192.168.2.100)  53.394 ms  55.679 ms  56.825 ms

@ubuntu:~$ traceroute 192.168.2.51
traceroute to 192.168.2.51 (192.168.2.51), 30 hops max, 60 byte packets
 1  * 100.xx.xx.98 (100.xx.xx.98)  64.568 ms *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  *^C
@ubuntu:~$

As you can see on the node I can ping remote node 192.168.2.100, but can’t any remote device.

Weird.

Any ideas? Thank you.

Any ideas? Thank you.

is it only a problem with ping or nothing goes through on any other port/protocol? I have only 1 router node and dns and http passes through nicely, but ping does not work…

Nope, not only ping, but any other protocol can’t reach remote subnet on the machine, where Tailscale is running.

Tailscale node (not working), 192.168.1.54:

madrian@ubuntu:~$ ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.
^C
--- 192.168.2.50 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms

madrian@ubuntu:~$ curl 192.168.2.50 -v
*   Trying 192.168.2.50:80...

Random machine on network (works):

❯ ping 192.168.2.50
PING 192.168.2.50 (192.168.2.50): 56 data bytes
64 bytes from 192.168.2.50: icmp_seq=0 ttl=61 time=32.738 ms
92 bytes from 192.168.1.1: Redirect Host(New addr: 192.168.1.54)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 3781   0 0000  3f  01 bef6 192.168.1.175  192.168.2.50 

64 bytes from 192.168.2.50: icmp_seq=1 ttl=62 time=32.202 ms
92 bytes from 192.168.1.1: Redirect Host(New addr: 192.168.1.54)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 bbd8   0 0000  3f  01 3a9f 192.168.1.175  192.168.2.50 

64 bytes from 192.168.2.50: icmp_seq=2 ttl=62 time=28.462 ms
92 bytes from 192.168.1.1: Redirect Host(New addr: 192.168.1.54)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 0d1c   0 0000  3f  01 e95b 192.168.1.175  192.168.2.50 

64 bytes from 192.168.2.50: icmp_seq=3 ttl=62 time=30.520 ms
^C
--- 192.168.2.50 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 28.462/30.980/32.738/1.669 ms
❯ curl 192.168.2.50 -v
*   Trying 192.168.2.50...
* TCP_NODELAY set
* Connected to 192.168.2.50 (192.168.2.50) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.2.50
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden

Ok, I just found out that I needed to add 100.64.0.0/10 as next-hop to both on my router. Now it is working “properly”.

…but I think there is a bug:

Untitled Diagram.drawio803×738 30.9 KB

Despite that --snat-subnet-routes=false is set, on Tailscale node itself it is not respected for some reason.

Any idea why?