Subnet route advertisement scope

ttnickb · November 21, 2022, 5:04pm

Overview:

I am looking into Tailscale to use for remote access to devices. Each device has a LAN subnet (always 192.168.1.x) that I would like to forward on a conditional basis. e.g. “review and approve” the subnet when the remote access is needed for device XYZ, and then disable when done.

This works great if I am the only user, but I am trying to understand how this approach to subnets would scale for a corporate Tailscale account with multiple users. There are times when two or more users would simultaneously want access to the subnets of different devices…but if the identical subnet is approved and advertised across the Tailscale network, I presume there would be overlap and routing issues.

Questions:

Is subnet approval done on a per-user basis? So user A can approve a different list of subnets than user B?

Is some alternative approach recommended for this situation?

Thanks!

GavinGreenwalt · November 21, 2022, 9:25pm

Subnet access can be managed via ACLs.

Network access controls (ACLs) · Tailscale

so you could so something like…

"hosts": {
  "example-network-1": "192.168.1.0/24",
  "example-network-2": "192.168.2.0/24",
},

  "acls": [
    {
      "action": "accept",
      "src": ["bob@corp.com"],
      "dst": ["example-network-1:*"],
    },
    {
      "action": "accept",
      "src": ["jane@corp.com"],
      "dst": ["example-network-2:*"],
    },

ttnickb · November 23, 2022, 5:24pm

Thanks @GavinGreenwalt .

I want to confirm:

In your example the host networks are unique subnets.
In my case, the subnets will all be identical…but attached to different physical devices.

Is there a syntax for naming or tagging the subnets of particular devices, so that an ACL can allow users access to different device+subnet combos?

GavinGreenwalt · November 23, 2022, 5:39pm

Ooops! Misread.

There is a feature for this. But it’s a Business level not Teams plan level feature so I’m too cheap to have tested it haha.

4via6 subnet routers · Tailscale

ttnickb · November 30, 2022, 3:52pm

Thanks. I cannot try it since it is a Business level feature but the 4via6 router seems like what we’d need.

Can anyone comment on the “alpha” status of it?

Topic		Replies	Views
Multiple Identical Subnets? SUPPORT QUESTIONS	2	1042	February 14, 2022
Am I misunderstanding subnet routing? SUPPORT QUESTIONS	3	516	July 1, 2022
Sharing subnet? SUPPORT QUESTIONS	0	1577	November 20, 2022
Separate subnet routers for clients in tailscale network	0	1234	July 14, 2023
Possible IP conflict when using Tailscale and a subnet router on a remote LAN? Tailscale About articles (troubleshooting, info)	3	2609	June 12, 2023

Subnet route advertisement scope

Related Topics