Windows Defender firewall restricts network

Tailscale User: I’ve attached a diagram of a network.

• “windows pc” can ping 10.130.0.2 (thus routes and relaying is ok)
• “windows pc” can telnet 10.130.0.2:1443
• “windows pc” cannot reach https://10.130.0.2:1443 with Chrome nor Edge

If I turn off the Windows Defender Firewall, then it reaches https://10.130.0.2:1443/ just right.

My trace is:

• Windows has 10.0.0.2 as default gw
• Sends traffic to 10.130.0.2 through to 10.0.0.2
• 10.0.0.2 routes that traffic to 10.0.16.2
• 10.0.16.2 relays that traffic through tailscale over the internet onto 10.130.0.2
• 10.130.0.2 responds through tailscale over the internet onto 10.0.16.2
• response traffic comes out of 10.0.16.2 to “windows pc”
• “windows pc” gets the traffic, but windows defender firewall drops it before it gets to a browser

image1224×1014 44 KB

Tailscale Support: Note that we’ve made many improvements to the Windows client since the 1.0.4 stable release. The version at https://pkgs.tailscale.com/unstable/#windows auto configures the Windows Defender firewall, for instance.

Tailscale User: No, the thing is, the Windows machine does not have the Tailscale client itself installed, it’s reaching the Tailscale network through a relay (10.0.16.2, see my previously attached network diagram).

Tailscale Support: Thanks for the heads up.

We’ll remember this if others hit similar issues, to remind them to check their firewall rules.