Hello, I have a camera going into an SRT encoder (TBS 2603 AU) that’s connected to my phone’s hotspot via a bridge router. I also connected a linux box to the hotspot to act as a tailscale subnet router to connect the hotspot lan to the vpn. I then have a home computer on tailscale vpn with OBS looking for the SRT stream in listener mode. I’m able to ping and connect to the admin page of the encoder (on 192.168.X.X) from my home computer (tailscale vpn 100.X.X.X) but the SRT signal doesn’t make it through the chain. The SRT format you enter an ip address or url along with a port number and uses UDP. In this case I’m entering the 100.X.X.X vpn ip of the home device and, for example, port 3000.
I have already opened the windows firewall port and tested with everything on the same network and it works. I have also tested tailscale on my phone and doing SRT from the vpn on my phone to my home vpn computer. It seems to be an issue with the extra step of the subnet router. I’m also pretty new to linux. I’m not sure if the tailscale subnet router doesn’t work with custom ports and I have to make my own iptables rule or if I’m missing something else.
By default the subnet router uses source NAT, which you’ll probably need to disable to allow the cameras to reach 100.x.y.z. A diagram is attached which might help.
I set it to false and the video signal still isn’t coming up. The only change I noticed was my pc could no longer reach the encoder via ping or http. The UDP signal would be going lan node → subnet router → tailscale node.
edit: I added a super quick diagram
So intended route is encoder (lan) → bridge router → mobile hotspot (lan) → subnet router (lan interface) → subnet router (vpn interface) → hotspot → internet → tailscale home computer (VPN)
Even so, if the goal is to have the encoder on the LAN send to 100.x.y.z Tailscale IP addresses, you’ll need to use --snat-subnet-routes=false.
From the diagram: something needs to set the nexthop router for 100.64.0.0/10 to be the subnet router. If the Encoders can have manual routes set then fine, but this seems unlikely. The mobile hotspot is likely an iOS or Android device which also doesn’t have an easy way to configure routes. Does the bridge router have a way to set routes?
My guess would be that the encoders are sending to 100.x.y.z, which goes to the mobile hotspot, which just forwards it on to the Internet where the packets get dropped.
Sending the other way, a ping from the Tailscale device, works because the Tailscale client installs routes.
- ping works with --snat-subnet-routes=true because the subnet router rewrites the source addresses to 192.168.X.X
- ping doesn’t work with --snat-subnet-routes=false because the IP source address is 100.x.y.z, which the encoders don’t have a route to be able to send the ping response
This was the issue. I moved the subnet router between the bridge and the mobile hotpot. I found a linux app that lets you create a mobile hotspot on 5/2.4ghz while connecting to a hotspot on the other. I then changed the bridge to connect to the subnet router hotspot and added this new network created from the subnet router hotspot to the advertised routes. The feed is now making it to my home computer!