Windows Defender firewall restricts network

Tailscale User: I’ve attached a diagram of a network.

  • “windows pc” can ping (thus routes and relaying is ok)
  • “windows pc” can telnet
  • “windows pc” cannot reach with Chrome nor Edge

If I turn off the Windows Defender Firewall, then it reaches just right.

My trace is:

  • Windows has as default gw
  • Sends traffic to through to
  • routes that traffic to
  • relays that traffic through tailscale over the internet onto
  • responds through tailscale over the internet onto
  • response traffic comes out of to “windows pc”
  • “windows pc” gets the traffic, but windows defender firewall drops it before it gets to a browser

Tailscale Support: Note that we’ve made many improvements to the Windows client since the 1.0.4 stable release. The version at auto configures the Windows Defender firewall, for instance.

Tailscale User: No, the thing is, the Windows machine does not have the Tailscale client itself installed, it’s reaching the Tailscale network through a relay (, see my previously attached network diagram).

Tailscale Support: Thanks for the heads up.

We’ll remember this if others hit similar issues, to remind them to check their firewall rules.