Why does "tailscale ping" bypass acls?

if i have acl’s and it is effectively preventing a node from pinging/establishing connections to other tailscale nodes, why does "tailscale ping " bypass this?

tailscale ping is not sending an ICMP ping at the IP layer, it is checking lower level connectivity.

If ACLs prevent two nodes from communicating at all, on any port, then netmap trimming will remove them from each other’s netmaps. Even tailscale ping will not work, the two nodes cannot establish a Wireguard tunnel at all.

Hello DGentry, thank you for the quick response.

I am unfamiliar with the term netmap trimming, but I am guessing my acls are not correctly implemented?

Below is an example of the acls. I thought that this would make it so that nodes with tag:untrusted could only communicate with themselves? I did this because there was no action=deny option according to the documentation.

“acls”: [
// Match absolutely everything. Comment out this section if you want
// to define specific ACL restrictions.
{ “action”: “accept”, “users”: [“user@gmail.com”], “ports”: [":"] },
{ “action”: “accept”, “users”: [“tag:untrusted”], “ports”: [“tag:untrusted:*”] },

With this implemented, i cannot ping or telnet a port on any other tailscale device. But it sounds like this isn’t the correct way to implement?


Because user@gmail.com can connect to everything, everything must be told about the existence of user@gmail.com’s nodes. They have to be able to establish a wireguard tunnel, if user@gmail.com tries to connect to them.

Therefore, tailscale ping will work. tailscale ping is implemented in roughly the same place which knows about how to set up Wireguard tunnels.

If this ACL is removed until actually needed, then tag:untrusted won’t even be told that user@gmail.com’s nodes exist. tailscale ping won’t work because they have no ability to establish a Wireguard tunnel.