Windows Defender firewall restricts network

Tailscale User: I’ve attached a diagram of a network.

  • “windows pc” can ping 10.130.0.2 (thus routes and relaying is ok)
  • “windows pc” can telnet 10.130.0.2:1443
  • “windows pc” cannot reach https://10.130.0.2:1443 with Chrome nor Edge

If I turn off the Windows Defender Firewall, then it reaches https://10.130.0.2:1443/ just right.

My trace is:

  • Windows has 10.0.0.2 as default gw
  • Sends traffic to 10.130.0.2 through to 10.0.0.2
  • 10.0.0.2 routes that traffic to 10.0.16.2
  • 10.0.16.2 relays that traffic through tailscale over the internet onto 10.130.0.2
  • 10.130.0.2 responds through tailscale over the internet onto 10.0.16.2
  • response traffic comes out of 10.0.16.2 to “windows pc”
  • “windows pc” gets the traffic, but windows defender firewall drops it before it gets to a browser

Tailscale Support: Note that we’ve made many improvements to the Windows client since the 1.0.4 stable release. The version at https://pkgs.tailscale.com/unstable/#windows auto configures the Windows Defender firewall, for instance.

Tailscale User: No, the thing is, the Windows machine does not have the Tailscale client itself installed, it’s reaching the Tailscale network through a relay (10.0.16.2, see my previously attached network diagram).

Tailscale Support: Thanks for the heads up.

We’ll remember this if others hit similar issues, to remind them to check their firewall rules.