I hope I am doing something really stupid after a long day!!!
I have a very simple setup that I know I have had working before. BUT… low and behold… I can’t get it going now!!
ok… Basically I have a ProxMox host. On this host I have a single NIC. I have created to Virtual interfaces. one is “public” facing (RE: on my internal LAN) and the other is PRIVATE… no routing or anything just a subnet to run on the host only.
I have a Gateway VM on the box… with 2 NIC’s. One on the LAN and one on the Private subnet. ON this box I have install Tailscale. connected, authorised etc. all good. I have enabled subnet-routing through the --advertise-subnet argument etc… modded the appropriate sys files etc. now… I can PING the said VM on both interfaces from my laptop. So it appears TS is working. I can then, through this VM, ping other hosts on the Private subnet, but this is where I run into problems… I can ping but not connect otherwise. One of these private boxes is a straight up linux box, so am trying to SSH in. If I am on the GW VM I can SSH to the said box, but not from my laptop which is on the LAN side of the network…
please tell me I am missing something dumb?? my brain hurts!!
vmbr0 is connected to my normal LAN (172.16.0.0/16)
vmbr2 is connected to my “private” (host only) subnet (10.10.10.0/24)
I have a Centos8 (labGW) box I am looking to use as a router of sorts. I have done this before in AWS so I know it works.
basically the LabGW has two nics. One into VMBR0 (with gateway etc…) and one into VMBR2. At this point, from my Laptop (on the LAN) I can ping and ssh into the VMBR0 interface but not the VMBR2 interface (as expected when there is no routes etc…)
I install TS and advertise the 10.10.10.0/24 subnet, make the changes needed in both the OS and the admin console (including stopping the firewalld service - its a personal lab so don’t need FW). Hey presto… from my laptop I can now ping the second NIC (10.10.10.1) and I can even SSH into that IP. All good!!
Now I have a second Centos 8 box. lets call it Demo1. This box is only connected to vmbr2, as it is a lab box for demo’s!!
from my the LabGW I can ping and SSH into Demo1. Again all good.
I now hit my issue!! From my laptop I can ping and SSH into LabGW on both interfaces (well all three if you include the TS interface). When I try to ping Demo1 I receive a return… as expected. But I cannot SSH into Demo1. This is the same for another box which has a HTTPS interface… I can ping, but not bring up the web console.
I know its something simple… but I can’t see the wood for the trees at the moment!!!
HI @vyper013,
Could you share your domain and specific Tailscale IP address?
Feel free to email support@tailscale.com if you don’t wish to share that here.
Thanks!
This looks like an interesting issue, and sounds like it might be related to firewall settings on either your labgw box or your demo1 box.
If you do a tcpdump on the labgw box (eg. tcpdump -ni vmbr2 port 22 or icmp) while you try to initiate an ssh connection, do you see anything interesting?
then tested… same again… I could ping the GW and any other host behind it. I could SSH to the GW and nothing else… I rebooted the GW and hey presto… all working… have since rebooted it many times… and accessed the lab from offsite (over TS network of course!!)
Hmm, that’s mostly good news, though I wonder if other people might run into whatever you did. It sounds a bit like firewalld might have left some iptables rules behind when it shut down, and these were wiped out on reboot.
