Subnet route advertisement scope

ttnickb · November 21, 2022, 5:04pm

Overview:

I am looking into Tailscale to use for remote access to devices. Each device has a LAN subnet (always 192.168.1.x) that I would like to forward on a conditional basis. e.g. “review and approve” the subnet when the remote access is needed for device XYZ, and then disable when done.

This works great if I am the only user, but I am trying to understand how this approach to subnets would scale for a corporate Tailscale account with multiple users. There are times when two or more users would simultaneously want access to the subnets of different devices…but if the identical subnet is approved and advertised across the Tailscale network, I presume there would be overlap and routing issues.

Questions:

Is subnet approval done on a per-user basis? So user A can approve a different list of subnets than user B?

Is some alternative approach recommended for this situation?

Thanks!

GavinGreenwalt · November 21, 2022, 9:25pm

Subnet access can be managed via ACLs.

Network access controls (ACLs) · Tailscale

so you could so something like…

"hosts": {
  "example-network-1": "192.168.1.0/24",
  "example-network-2": "192.168.2.0/24",
},

  "acls": [
    {
      "action": "accept",
      "src": ["bob@corp.com"],
      "dst": ["example-network-1:*"],
    },
    {
      "action": "accept",
      "src": ["jane@corp.com"],
      "dst": ["example-network-2:*"],
    },

ttnickb · November 23, 2022, 5:24pm

Thanks @GavinGreenwalt .

I want to confirm:

In your example the host networks are unique subnets.
In my case, the subnets will all be identical…but attached to different physical devices.

Is there a syntax for naming or tagging the subnets of particular devices, so that an ACL can allow users access to different device+subnet combos?

GavinGreenwalt · November 23, 2022, 5:39pm

Ooops! Misread.

There is a feature for this. But it’s a Business level not Teams plan level feature so I’m too cheap to have tested it haha.

4via6 subnet routers · Tailscale

ttnickb · November 30, 2022, 3:52pm

Thanks. I cannot try it since it is a Business level feature but the 4via6 router seems like what we’d need.

Can anyone comment on the “alpha” status of it?

Topic		Replies	Views
Help with ACLs and Subnet Routers ACL (Access Control Lists)	1	1308	December 16, 2022
Multiple Identical Subnets? SUPPORT QUESTIONS	2	1379	February 14, 2022
Help filtering routes access Linux	1	759	July 20, 2021
Creating multiple subnetwork like networking	1	533	July 25, 2022
Using ACL to separate multiple networks with same subnet advertisements ACL (Access Control Lists)	0	792	June 12, 2023

Subnet route advertisement scope

Related Topics