SSH Refused on private subnet

Hey all,

I hope I am doing something really stupid after a long day!!!

I have a very simple setup that I know I have had working before. BUT… low and behold… I can’t get it going now!!

ok… Basically I have a ProxMox host. On this host I have a single NIC. I have created to Virtual interfaces. one is “public” facing (RE: on my internal LAN) and the other is PRIVATE… no routing or anything just a subnet to run on the host only.

I have a Gateway VM on the box… with 2 NIC’s. One on the LAN and one on the Private subnet. ON this box I have install Tailscale. connected, authorised etc. all good. I have enabled subnet-routing through the --advertise-subnet argument etc… modded the appropriate sys files etc. now… I can PING the said VM on both interfaces from my laptop. So it appears TS is working. I can then, through this VM, ping other hosts on the Private subnet, but this is where I run into problems… I can ping but not connect otherwise. One of these private boxes is a straight up linux box, so am trying to SSH in. If I am on the GW VM I can SSH to the said box, but not from my laptop which is on the LAN side of the network…

please tell me I am missing something dumb?? my brain hurts!!

Thanks in Advance

When you say you “can through the (Gateway) VM ping other hosts on the private subnet”, do you mean from the VM side?

I’m asking because you also say if you are on the gateway VM you can SSH to the said box.

Where is the private box? A third and separate host from the box with the 2 VMs and the laptop?

ok… I’ll try to compensate for my tired brain!! :slight_smile:

Proxmox server

  • One physical NIC
  • Two Virtual networks (vmbr0 & vmbr2)

vmbr0 is connected to my normal LAN (
vmbr2 is connected to my “private” (host only) subnet (

I have a Centos8 (labGW) box I am looking to use as a router of sorts. I have done this before in AWS so I know it works.

basically the LabGW has two nics. One into VMBR0 (with gateway etc…) and one into VMBR2. At this point, from my Laptop (on the LAN) I can ping and ssh into the VMBR0 interface but not the VMBR2 interface (as expected when there is no routes etc…)

I install TS and advertise the subnet, make the changes needed in both the OS and the admin console (including stopping the firewalld service - its a personal lab so don’t need FW). Hey presto… from my laptop I can now ping the second NIC ( and I can even SSH into that IP. All good!!

Now I have a second Centos 8 box. lets call it Demo1. This box is only connected to vmbr2, as it is a lab box for demo’s!!

from my the LabGW I can ping and SSH into Demo1. Again all good.

I now hit my issue!! From my laptop I can ping and SSH into LabGW on both interfaces (well all three if you include the TS interface). When I try to ping Demo1 I receive a return… as expected. But I cannot SSH into Demo1. This is the same for another box which has a HTTPS interface… I can ping, but not bring up the web console.

I know its something simple… but I can’t see the wood for the trees at the moment!!!

Please let me know if this helps expand??

HI @vyper013,
Could you share your domain and specific Tailscale IP address?
Feel free to email if you don’t wish to share that here.

sent updates and details via email…

This looks like an interesting issue, and sounds like it might be related to firewall settings on either your labgw box or your demo1 box.

If you do a tcpdump on the labgw box (eg. tcpdump -ni vmbr2 port 22 or icmp) while you try to initiate an ssh connection, do you see anything interesting?

FYI to all… I am not sure what happened… but I re-ran al the commands I would normally do for such a box…

systemctl stop firewalld
systemctl disable firewalld
tailscale -up --advertise-routes=x.x.x.x/x
echo ‘net.ipv4.ip_forward = 1’ | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

then tested… same again… I could ping the GW and any other host behind it. I could SSH to the GW and nothing else… I rebooted the GW and hey presto… all working… have since rebooted it many times… and accessed the lab from offsite (over TS network of course!!)

soooooo all good…

not sure what I did wrong… but now… working!!

1 Like

Hmm, that’s mostly good news, though I wonder if other people might run into whatever you did. It sounds a bit like firewalld might have left some iptables rules behind when it shut down, and these were wiped out on reboot.

Good to know you have it working though!

1 Like

sudo ufw allow in on tailscale0 solve the issue for me.