Tailscale site to site, am I missing something?
-
Hello
I have setup tailscale on three locations, I have advertised routes and set both ends to accept the routes.I see the routes in the routing table.
Sites are:- Home: 192.168.1.0/24
- Cloud: 192.168.200.0/24
- Office: 192.168.0.0/24
It's "working" as in on the Cloud site pfsense I can ping 192.168.0.1 for instance
ping -c 3 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=98.437 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=98.234 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=98.226 ms --- 192.168.0.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 98.226/98.299/98.437/0.097 ms
No idea what source is being used for that ping... because when I ping using my lan address as source it no longer works:
ping -c 3 -S 192.168.200.1 192.168.0.1 PING 192.168.0.1 (192.168.0.1) from 192.168.200.1: 56 data bytes --- 192.168.0.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
So, besides approving the routes, is there anything else I must do on the tailscale side? isn't the default ACL enough?
-
@andres-asm said in Tailscale site to site, am I missing something?:
So, besides approving the routes, is there anything else I must do on the tailscale side? isn't the default ACL enough?
you are probably missing the outbound NAT for tailscale
Note that, if the tailscale interface doesn't show up for selection during the creation of the NAT, you will need to follow this thread.
-
@mcury I have to NAT for a LAN to LAN connection?
-
@andres-asm said in Tailscale site to site, am I missing something?:
I have to NAT for a LAN to LAN connection?
For me, it only works when I create the NAT.
Also, you need to login into tailscale console and allow the networks you are advertising for that peer. -
@mcury ahh that's odd, so NAT on the tailscale interface I guess
-
@andres-asm said in Tailscale site to site, am I missing something?:
@mcury ahh that's odd, so NAT on the tailscale interface I guess
yes, but sometimes I don't know why, the interface doesn't show up there for selection.
if that is the case, check the second link I provided in my first post. -
@andres-asm said in Tailscale site to site, am I missing something?:
@mcury I have to NAT for a LAN to LAN connection?
I think so. I asked something similar here (not as succinctly ):
https://forum.netgate.com/topic/179612/can-pfsense-route-to-a-tailscale-subnet-without-nat
Tailscale can do this on supported OS's with the flag:
--snat-subnet-routes=false
But FreeBSD doesn't support this (yet). For progress, see: