Two devices can't communicate with each other

I have 6 devices in my tailscale…

machine1	winserver2008
machine2	windows11
machine3	windows11 VM
laptop1		windows7
phone1		android
phone2		android

I’m having trouble with machine3 and laptop1 communicating. Using the tailscale 100.x addresses:

  • machine3 can ping every device except laptop1
  • laptop1 can ping every device except machine3

However, when I retry the above using tailscale ping both these devices can successfully receive a pong from each other.

Interestingly, running tailscale status reveals the following…

  • when I run this command on machine1 or machine2, every device is shown to be online
  • when I run this command on machine3, it reports laptop1 as windows idle, tx 276 rx 220
  • when I run this command on laptop1, it reports machine3 as windows idle, tx 220 rx 276

So, I’m confused why ping and RDP etc work between the rest of the devices and machine3 or laptop1 but not between each other.

Any advice on how to resolve this?

Have you enabled windows firewall or any other firewall on machine3 and laptop1?
If yes, you need to allow icmp/ping from any source.

For testing, disable your firewall for all locations (public, private, domain) and test again if you can connect those two devices.

To rule that out, I turned the firewall off on both devices. Same result, they still couldn’t ping each other.

Ok, do you have enabled subnet routers? Or maybe have an ACL that is blocking the access?
Furthermore, did you tag your devices or let them be “your” devices?

I have also some idle devices, i suggest they are connected, but not doing anything:

No subnet routes setup (I double-checked the route settings for each machine to make sure they’re blank). Also, no ACLs or Tags defined; I believe my policy file is still the default…

// Example/default ACLs for unrestricted connections.
	// Declare static groups of users beyond those in the identity service.
	"groups": {},

	// Declare convenient hostname aliases to use in place of IP addresses.
	"hosts": {},

	"tagOwners": {},

	// Access control lists.
	"acls": [
		// Match absolutely everything.
		//{"action": "accept", "users": ["*"], "ports": ["*:*"]},

	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
			"action": "check",
			"src":    ["autogroup:members"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],

Any other suggestions on how to test the issue? Would it be worth raising a bug report?

ACL looks good to me. I’ve no idea why its not working. Maybe create a support ticket first before raising a bug report.