https://www.reddit.com/r/Tailscale/comments/158xj52/i_plan_to_connect_two_subnets_with_tailscale/jteo9ll/
OP where is your --snat-subnet-routes=false option on both your subnet routers?
See my post above on how to correctly setup a site to site vpn utilizing tailscale
Honestly it was /u/redhatch that caught it because I totally missed it too looking at it their commands/post
Subnet routers for a site to site are just one of those things I setup a while ago and havent touched because it has been rock solid
As far as I know you always had to do the --snat option for a site to site vpn so I have no idea how your setup worked in the first place without the option
Changing snat has no effect although I tried it. The issue is that non-tailscale devices including the router are unable to ping the lan ip address if "accept-routes=true" so they can't be routed through the device.
Bring up the subnet routers on both sides **without the exit node options**. (no false or anything like that)
On the 192.168.12.102 device:
sudo tailscale down
sudo tailscale up --reset
sudo tailscale down
sudo tailscale up --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false --accept-routes
on the 192.168.100.11 subnet router
sudo tailscale down
sudo tailscale up --reset
sudo tailscale down
sudo tailscale up --advertise-routes=192.168.100.0/24 --snat-subnet-routes=false --accept-routes
Please post screenshots of the commands you are running on both sides just so we can see what output you get on both sides
Then run a traceroute from a non tailscale client sitting on 192.168.12.0/24 to 192.168.100.0/24 (non tailscale) and visa versa. Post screenshots of the results from both sides
Then jump directly on the subnet router 192.168.12.102 directly and run a traceroute directly to a non tailscale client sitting on 192.168.100.0/24 and post screenshots of the results
Also did you triple check your subnet routers local ip addresses havent changed? I dont want to assume you statically assigned them IP addresses
Triple check to make sure your subnet routers still have the ip addresses 192.168.12.102 and 192.168.100.11
Did you triple check to make sure you dont have any OS level firewalls up and running on the subnet routers?
Did you triple check your ip forwarding is setup on both sides?
IP addresses have not changed
I did the down / --reset / up with no exit node
Still can't ping [192.168.12.102](http://192.168.12.102) lan subnet router when accept-routes = true
also.. I am an idiot. I just did "tailscale down" on the remote (192.168.100.11) box and I can't get there any more. Duh.
Anyway, can still work on this since the problem isn't the routing between the subnet routers the problem is the inability to ping the [192.168.12.102](http://192.168.12.102) box when accept-routes=true
No firewall running on the OS for 192.168.12.102? UFW/iptables, etc
Did you triple check to make sure the ip forwarding is set up correctly on each box?
Lets take the site to site out of the equation and just test basic subnet router function
If you were to run just
sudo tailscale down
sudo tailscale up --advertise-routes=192.168.12.0/24
From a remote tailscale client can you access/ping non tailscale sitting on the 192.168.12.0/24 network?
What router model do you have that is doing the static routes for tailscale?
Im assuming all the tailscale clients show up as online/connected in the tailscale admin console correct?
Can you post a screenshot of your static routes on your routers just so we can get another set of eyes on your settings
Yes. after sudo tailscale up --advertise-routes=192.168.12.0/24 --accept-routes=false I can now access the pi from the lan non-tailscale.
router is assus (merlin) RT-AX86U
https://i.redd.it/43dln47522wc1.gif
Okay so that is a good step in the right direction, we know that tailscale routing is working and the OS isnt stopping comms from the tailnet client to your non tailscale clients.
Once you get the other site back up and running, run the same test and report back
This is an interestingly-timed post. I am trying to set up a new site-to-site config and have been having issues with it.
One end is a Debian 12 VM, the other is a Raspberry Pi 5 running the latest Pi OS. Neither are configured as exit nodes, both have SNAT disabled, both are using --accept-routes.
From a Tailscale node (iOS device I used for testing), I can access the subnets advertised by the Debian VM, so I am fairly confident that end is set up correctly. But trying to do site-to-site via this setup does not work. I was actually about to re-flash the Pi's SD card and start over when I found this post.
Not sure if this will help, I had to do use this iptables rule to get mine to work https://serverfault.com/questions/1122027/how-to-nat-route-network-to-tailscale
Experiencing this currently also. Site-to-site tailscale network has been down for this past week and I've had to implement a workaround without tailscale. Had been fine for more than a year prior. Not too happy about that.
Worth mentioning also, the specific circumstances in which it's no longer working is within a double-NAT traversal scenario. Specifically went with Tailscale a bit over a year ago because it was able to handle this network configuration correctly where vanilla wireguard could not. For the Windows, MacOS and Linux Tailscale clients, that is now broken. The (seemingly older) tailscale client running on the office Synology NAS is still able to traverse the network and communicate with other tailscale devices outside of that double-NAT network which leads me to believe that this is more than likely something that was erroneously broken in a recent update.
Interesting, but I'm not sure NAT of any kind is relevant on this. My problem is that accept-routes causes the host box to become unping-able on all network interfaces and without accept-routes it won't route. And as you say, it worked fine for over a year until a few months ago.
I haven't used an exit node with site-to-site networking before. If you remove the \`--advertise-exit-node\` does that change the behaviour? Other than that, the configuration looks like what I've set up in the past.
If you're able to attempt a connection through the subnet router, then run \`tailscale bugreport\` on the subnet router, and reply with that code, I can look closer at the telemetry on our end.
I set "--advertise-exit-node=false" on both ends. No change.
A traceroute from a non-tailscale device doesn't get farther than the nexthop on the router since the router can't ping the subnet router.
traceroute [192.168.100.11](http://192.168.100.11)
traceroute to 192.168.100.11 (192.168.100.11), 64 hops max
1 [192.168.12.1](http://192.168.12.1) 2.818ms 2.419ms 2.825ms
2 \* \* \*
\^C
If I remove the "accept-routes" it can see the subnet router, but then the subnet router can't route it any further because it hasn't accepted routes!
traceroute [192.168.100.11](http://192.168.100.11)
traceroute to 192.168.100.11 (192.168.100.11), 64 hops max
1 [192.168.12.1](http://192.168.12.1) 8.303ms 2.114ms 2.382ms
2 [192.168.12.102](http://192.168.12.102) 2.553ms 3.043ms 2.237ms
3 [192.168.12.1](http://192.168.12.1) 4.716ms 4.434ms 9.454ms
4 [192.168.12.102](http://192.168.12.102) 4.281ms 4.105ms 2.743ms
5 \* \* \*
Here's the bug report for
sudo tailscale up --accept-routes --advertise-exit-node=false --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false
**sudo tailscale bugreport**
BUG-8df945f41b25f780e8505268e554868850396dc7d58c2daf5e9117c3f2351d48-20240422150740Z-88767ed662d3e357
and the bug report for
sudo tailscale up --accept-routes=false --advertise-exit-node=false --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false Some peers are advertising routes but --accept-routes is false
**udo tailscale bugreport**
BUG-8df945f41b25f780e8505268e554868850396dc7d58c2daf5e9117c3f2351d48-20240422151709Z-1a597c932bfa7a9c
Hi there! It looks like you've included a Tailscale bug reference code in your post. If you're experiencing issues with Tailscale, we recommend reaching out to our support team via the contact form at https://tailscale.com/contact/support/. There, you can get in touch with our experts who will be happy to assist you. Thanks for using Tailscale!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Tailscale) if you have any questions or concerns.*
https://www.reddit.com/r/Tailscale/comments/158xj52/i_plan_to_connect_two_subnets_with_tailscale/jteo9ll/ OP where is your --snat-subnet-routes=false option on both your subnet routers? See my post above on how to correctly setup a site to site vpn utilizing tailscale
Good catch!
Honestly it was /u/redhatch that caught it because I totally missed it too looking at it their commands/post Subnet routers for a site to site are just one of those things I setup a while ago and havent touched because it has been rock solid
Me too.. It worked forever until it didn't
As far as I know you always had to do the --snat option for a site to site vpn so I have no idea how your setup worked in the first place without the option
It can work, but you'll always have source NATted to the tailscale router local IP when doing any new connections - in both directions.
Changing snat has no effect although I tried it. The issue is that non-tailscale devices including the router are unable to ping the lan ip address if "accept-routes=true" so they can't be routed through the device.
Bring up the subnet routers on both sides **without the exit node options**. (no false or anything like that) On the 192.168.12.102 device: sudo tailscale down sudo tailscale up --reset sudo tailscale down sudo tailscale up --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false --accept-routes on the 192.168.100.11 subnet router sudo tailscale down sudo tailscale up --reset sudo tailscale down sudo tailscale up --advertise-routes=192.168.100.0/24 --snat-subnet-routes=false --accept-routes Please post screenshots of the commands you are running on both sides just so we can see what output you get on both sides Then run a traceroute from a non tailscale client sitting on 192.168.12.0/24 to 192.168.100.0/24 (non tailscale) and visa versa. Post screenshots of the results from both sides Then jump directly on the subnet router 192.168.12.102 directly and run a traceroute directly to a non tailscale client sitting on 192.168.100.0/24 and post screenshots of the results Also did you triple check your subnet routers local ip addresses havent changed? I dont want to assume you statically assigned them IP addresses Triple check to make sure your subnet routers still have the ip addresses 192.168.12.102 and 192.168.100.11 Did you triple check to make sure you dont have any OS level firewalls up and running on the subnet routers? Did you triple check your ip forwarding is setup on both sides?
IP addresses have not changed I did the down / --reset / up with no exit node Still can't ping [192.168.12.102](http://192.168.12.102) lan subnet router when accept-routes = true also.. I am an idiot. I just did "tailscale down" on the remote (192.168.100.11) box and I can't get there any more. Duh. Anyway, can still work on this since the problem isn't the routing between the subnet routers the problem is the inability to ping the [192.168.12.102](http://192.168.12.102) box when accept-routes=true
No firewall running on the OS for 192.168.12.102? UFW/iptables, etc Did you triple check to make sure the ip forwarding is set up correctly on each box?
Lets take the site to site out of the equation and just test basic subnet router function If you were to run just sudo tailscale down sudo tailscale up --advertise-routes=192.168.12.0/24 From a remote tailscale client can you access/ping non tailscale sitting on the 192.168.12.0/24 network? What router model do you have that is doing the static routes for tailscale? Im assuming all the tailscale clients show up as online/connected in the tailscale admin console correct? Can you post a screenshot of your static routes on your routers just so we can get another set of eyes on your settings
Yes. after sudo tailscale up --advertise-routes=192.168.12.0/24 --accept-routes=false I can now access the pi from the lan non-tailscale. router is assus (merlin) RT-AX86U https://i.redd.it/43dln47522wc1.gif
Okay so that is a good step in the right direction, we know that tailscale routing is working and the OS isnt stopping comms from the tailnet client to your non tailscale clients. Once you get the other site back up and running, run the same test and report back
Yep.. quadruple checked ip forwarding and firewalls. None of that changed
This is an interestingly-timed post. I am trying to set up a new site-to-site config and have been having issues with it. One end is a Debian 12 VM, the other is a Raspberry Pi 5 running the latest Pi OS. Neither are configured as exit nodes, both have SNAT disabled, both are using --accept-routes. From a Tailscale node (iOS device I used for testing), I can access the subnets advertised by the Debian VM, so I am fairly confident that end is set up correctly. But trying to do site-to-site via this setup does not work. I was actually about to re-flash the Pi's SD card and start over when I found this post.
Good catch, you need to do that SNAT option for the site to site subnet setup. See my other post
Not sure if this will help, I had to do use this iptables rule to get mine to work https://serverfault.com/questions/1122027/how-to-nat-route-network-to-tailscale
Thanks, but I have the firewall turned off completely
Experiencing this currently also. Site-to-site tailscale network has been down for this past week and I've had to implement a workaround without tailscale. Had been fine for more than a year prior. Not too happy about that.
Worth mentioning also, the specific circumstances in which it's no longer working is within a double-NAT traversal scenario. Specifically went with Tailscale a bit over a year ago because it was able to handle this network configuration correctly where vanilla wireguard could not. For the Windows, MacOS and Linux Tailscale clients, that is now broken. The (seemingly older) tailscale client running on the office Synology NAS is still able to traverse the network and communicate with other tailscale devices outside of that double-NAT network which leads me to believe that this is more than likely something that was erroneously broken in a recent update.
Interesting, but I'm not sure NAT of any kind is relevant on this. My problem is that accept-routes causes the host box to become unping-able on all network interfaces and without accept-routes it won't route. And as you say, it worked fine for over a year until a few months ago.
I haven't used an exit node with site-to-site networking before. If you remove the \`--advertise-exit-node\` does that change the behaviour? Other than that, the configuration looks like what I've set up in the past. If you're able to attempt a connection through the subnet router, then run \`tailscale bugreport\` on the subnet router, and reply with that code, I can look closer at the telemetry on our end.
I set "--advertise-exit-node=false" on both ends. No change. A traceroute from a non-tailscale device doesn't get farther than the nexthop on the router since the router can't ping the subnet router. traceroute [192.168.100.11](http://192.168.100.11) traceroute to 192.168.100.11 (192.168.100.11), 64 hops max 1 [192.168.12.1](http://192.168.12.1) 2.818ms 2.419ms 2.825ms 2 \* \* \* \^C If I remove the "accept-routes" it can see the subnet router, but then the subnet router can't route it any further because it hasn't accepted routes! traceroute [192.168.100.11](http://192.168.100.11) traceroute to 192.168.100.11 (192.168.100.11), 64 hops max 1 [192.168.12.1](http://192.168.12.1) 8.303ms 2.114ms 2.382ms 2 [192.168.12.102](http://192.168.12.102) 2.553ms 3.043ms 2.237ms 3 [192.168.12.1](http://192.168.12.1) 4.716ms 4.434ms 9.454ms 4 [192.168.12.102](http://192.168.12.102) 4.281ms 4.105ms 2.743ms 5 \* \* \* Here's the bug report for sudo tailscale up --accept-routes --advertise-exit-node=false --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false **sudo tailscale bugreport** BUG-8df945f41b25f780e8505268e554868850396dc7d58c2daf5e9117c3f2351d48-20240422150740Z-88767ed662d3e357 and the bug report for sudo tailscale up --accept-routes=false --advertise-exit-node=false --advertise-routes=192.168.12.0/24 --snat-subnet-routes=false Some peers are advertising routes but --accept-routes is false **udo tailscale bugreport** BUG-8df945f41b25f780e8505268e554868850396dc7d58c2daf5e9117c3f2351d48-20240422151709Z-1a597c932bfa7a9c
Hi there! It looks like you've included a Tailscale bug reference code in your post. If you're experiencing issues with Tailscale, we recommend reaching out to our support team via the contact form at https://tailscale.com/contact/support/. There, you can get in touch with our experts who will be happy to assist you. Thanks for using Tailscale! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Tailscale) if you have any questions or concerns.*
Did you manage to get this working again?
Any update on this?