Tailscale site to site, am I missing something?
-
Hello
I have setup tailscale on three locations, I have advertised routes and set both ends to accept the routes.I see the routes in the routing table.
Sites are:- Home: 192.168.1.0/24
- Cloud: 192.168.200.0/24
- Office: 192.168.0.0/24
It's "working" as in on the Cloud site pfsense I can ping 192.168.0.1 for instance
ping -c 3 192.168.0.1 PING 192.168.0.1 (192.168.0.1): 56 data bytes 64 bytes from 192.168.0.1: icmp_seq=0 ttl=64 time=98.437 ms 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=98.234 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=98.226 ms --- 192.168.0.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 98.226/98.299/98.437/0.097 msNo idea what source is being used for that ping... because when I ping using my lan address as source it no longer works:
ping -c 3 -S 192.168.200.1 192.168.0.1 PING 192.168.0.1 (192.168.0.1) from 192.168.200.1: 56 data bytes --- 192.168.0.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet lossSo, besides approving the routes, is there anything else I must do on the tailscale side? isn't the default ACL enough?
-
@andres-asm said in Tailscale site to site, am I missing something?:
So, besides approving the routes, is there anything else I must do on the tailscale side? isn't the default ACL enough?
you are probably missing the outbound NAT for tailscale
Note that, if the tailscale interface doesn't show up for selection during the creation of the NAT, you will need to follow this thread.
-
@mcury I have to NAT for a LAN to LAN connection?
-
@andres-asm said in Tailscale site to site, am I missing something?:
I have to NAT for a LAN to LAN connection?
For me, it only works when I create the NAT.
Also, you need to login into tailscale console and allow the networks you are advertising for that peer. -
@mcury ahh that's odd, so NAT on the tailscale interface I guess
-
@andres-asm said in Tailscale site to site, am I missing something?:
@mcury ahh that's odd, so NAT on the tailscale interface I guess
yes, but sometimes I don't know why, the interface doesn't show up there for selection.
if that is the case, check the second link I provided in my first post. -
@andres-asm said in Tailscale site to site, am I missing something?:
@mcury I have to NAT for a LAN to LAN connection?
I think so. I asked something similar here (not as succinctly
):https://forum.netgate.com/topic/179612/can-pfsense-route-to-a-tailscale-subnet-without-nat
Tailscale can do this on supported OS's with the flag:
--snat-subnet-routes=falseBut FreeBSD doesn't support this (yet). For progress, see:
-
I am having the same problem, Tailscale appears as an option in NAT but I don't know how to set it up or even if I need to set it up in both netgates. I am really new at this so please help.
-
@banosr said in Tailscale site to site, am I missing something?:
I am having the same problem, Tailscale appears as an option in NAT but I don't know how to set it up or even if I need to set it up in both netgates. I am really new at this so please help.
Christian McDonald explains how to create the NAT in the Youtube's link below:
Youtube Video -
It helped a lot but in NAT In translation address I don't have Tailscale as an option I saw another a link at the beginning of this thread but I didn't understand what I need to do
-
@banosr said in Tailscale site to site, am I missing something?:
It helped a lot but in NAT In translation address I don't have Tailscale as an option I saw another a link at the beginning of this thread but I didn't understand what I need to do
Check what is your tailscale IP address, check the tailscale tab for that.
Then, go to Firewall/Virtual IP, click in add and:
More details: https://redmine.pfsense.org/issues/14987#note-8
-
@mcury Thanks, I did it in site A and B and is not working, any other idea or info you need to help me out
-
@banosr Check your routing table, check if you have routes using the 100.x.x.x address.
Then, if you have dual WAN, check your firewall rules in your LAN side, you need to allow connections to the remote subnets using gateway default (don't set a gateway in these rules).With the information I got from you, this is all I can think about now.
-
@mcury Thanks for all your help, I finally was able to fixit. My modem was assigning a private address to the wan port, I just needed to unblock private addresses in the wan.
-
@banosr said in Tailscale site to site, am I missing something?:
Thanks for all your help, I finally was able to fixit. My modem was assigning a private address to the wan port, I just needed to unblock private addresses in the wan.
Good to hear
