I wish to use tailscale to access the other devices on the tailnet and use one of those devices as an exit node and access the LAN of that device (ip subnet advertised). I’ve set up a tailscale proxyvm according to the community guide. The sys-tailscale appvm is able to connect to the tailnet, access the exit node LAN as intended, and persists on reboot. However, any appvm that uses sys-tailscale as a networking qube cannot ping the devices on the tailnet does not connect to the internet at all. I tried fixing this by treating sys-tailscale as a subnet router and advertising 10.137.0.0/24; this did not work and I don’t think this is what I should be doing. Is there anything else that I’m missing that I need to do for my use case?
I am also having this same problem. I was trying to route all traffic through a tailscale exit node, but am having no network access. I would also appreciate a response to this question
Did you try to ping using IP address instead of a domain name? Maybe it’s an issue with DNS resolution, then you need to fix it like this:
Don’t use these addresses for your VPN: 10.137.0.0/16, 10.138.0.0/16, 10.139.1.1/32, 10.139.1.2/32.
It pings the ip and then stalls.
[user@disp9883 ~]$ ping 209.51.188.116
PING 209.51.188.116 (209.51.188.116) 56(84) bytes of data.
I also tried changing dns to 100.100.100.100 in /rw/config/qubes-firewall-user-script and there is still no network access from the appvm.
What’s the output of these commands in sys-tailscale with app qube connected to it?
ip a
ip r
ip rule show
sudo nft list ruleset
Hi,
Something made my exit node go offline while I was away and I won’t be able to check what’s going on with it until tomorrow. Regardless, I can send you the current results of those commands.
[user@sys-tailscale ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 1 qlen 1000
link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
inet 10.137.0.8/32 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe5e:6c00/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.126.90.40/32 scope global tailscale0
valid_lft forever preferred_lft forever
inet6 fd7a:115c:a1e0::c901:5a28/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::503d:d02f:66e4:cd7c/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
4: vif10.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 2 qlen 1000
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
inet 10.137.0.8/32 scope global vif10.0
valid_lft forever preferred_lft forever
inet6 fe80::fcff:ffff:feff:ffff/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
[user@sys-tailscale ~]$ ip r
default via 10.138.36.98 dev eth0 proto static metric 100
10.137.0.11 dev vif10.0 scope link metric 32742
10.138.36.98 dev eth0 proto static scope link metric 100
[user@sys-tailscale ~]$ ip rule show
0: from all lookup local
5210: from all fwmark 0x80000/0xff0000 lookup main
5230: from all fwmark 0x80000/0xff0000 lookup default
5250: from all fwmark 0x80000/0xff0000 unreachable
5270: from all lookup 52
32766: from all lookup main
32767: from all lookup default
[user@sys-tailscale ~]$ sudo nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.137.0.11 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif10.0" . 10.137.0.11 }
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname "vif*" tcp dport 53 dnat to 100.100.100.100
iifname "vif*" udp dport 53 dnat to 100.100.100.100
}
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 100.100.100.100
ip daddr 10.139.1.1 tcp dport 53 dnat to 100.100.100.100
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.1
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 12 bytes 768 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != "vif*" accept
ip saddr 10.137.0.11 jump qbs-10-137-0-11
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != "vif*" ip saddr 10.137.0.11 drop
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != "vif*" ip daddr 10.137.0.11 drop
}
chain qbs-10-137-0-11 {
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != "vif*" accept
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain ts-input {
iifname "lo" ip saddr 100.126.90.40 counter packets 0 bytes 0 accept
iifname != "tailscale0" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
iifname "tailscale0" counter packets 279 bytes 11772 accept
udp dport 41641 counter packets 428 bytes 25680 accept
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 meta mark set mark and 0xff00ffff xor 0x40000
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
oifname "tailscale0" counter packets 32 bytes 2256 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 2609 bytes 181195 jump ts-input
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 32 bytes 2256 jump ts-forward
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 masquerade
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 1113 bytes 69986 jump ts-postrouting
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain ts-input {
iifname "lo" ip6 saddr fd7a:115c:a1e0::c901:5a28 counter packets 0 bytes 0 accept
iifname "tailscale0" counter packets 0 bytes 0 accept
udp dport 41641 counter packets 0 bytes 0 accept
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 meta mark set mark and 0xff00ffff xor 0x40000
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 jump ts-input
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump ts-forward
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 XT target MASQUERADE not found
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 112 bytes 8064 jump ts-postrouting
}
}
table inet qubes-nat-accel {
flowtable qubes-accel {
hook ingress priority filter
devices = { eth0, lo, tailscale0, vif10.0 }
}
chain qubes-accel {
type filter hook forward priority filter + 5; policy accept;
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
counter packets 32 bytes 2256
}
}
Show the output of these commands when the tunnel will work for you in sys-tailscale and you try to ping some IP in the app connected to sys-tailscale:
ip route show table 52
sudo nft list ruleset
Maybe the firewall rules added by tailscale are conflicting with the Qubes OS firewall rules and not working properly.
Are you using MagicDNS in your tailnet?
I connected it to another exit node for the time being. (internal subnet is 192.168.0.0/24)
default dev tailscale0
10.0.0.0/24 dev tailscale0
100.66.91.55 dev tailscale0
100.67.51.6 dev tailscale0
100.72.219.64 dev tailscale0
100.99.67.36 dev tailscale0
100.100.100.100 dev tailscale0
100.119.204.88 dev tailscale0
throw 127.0.0.0/8
192.168.0.0/24 dev tailscale0
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.137.0.11 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif10.0" . 10.137.0.11 }
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 136 bytes 7504 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 12 bytes 528
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 17 bytes 2004 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname "vif*" tcp dport 53 dnat to 100.100.100.100
iifname "vif*" udp dport 53 dnat to 100.100.100.100
}
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 100.100.100.100
ip daddr 10.139.1.1 tcp dport 53 dnat to 100.100.100.100
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.1
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 39 bytes 2472 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != "vif*" accept
ip saddr 10.137.0.11 jump qbs-10-137-0-11
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != "vif*" ip saddr 10.137.0.11 drop
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != "vif*" ip daddr 10.137.0.11 drop
}
chain qbs-10-137-0-11 {
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != "vif*" accept
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
}
}
table ip filter {
chain ts-input {
iifname "lo" ip saddr 100.126.90.40 counter packets 0 bytes 0 accept
iifname != "tailscale0" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
iifname "tailscale0" counter packets 964 bytes 116753 accept
udp dport 41641 counter packets 2254 bytes 271806 accept
}
chain ts-forward {
iifname "tailscale0" counter packets 883 bytes 50722 meta mark set mark and 0xff00ffff xor 0x40000
meta mark & 0x00ff0000 == 0x00040000 counter packets 883 bytes 50722 accept
oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
oifname "tailscale0" counter packets 2346 bytes 140406 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 11877 bytes 1212459 jump ts-input
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 3229 bytes 191128 jump ts-forward
}
}
table ip nat {
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 masquerade
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 27699 bytes 1409723 jump ts-postrouting
}
}
table ip6 filter {
chain ts-input {
iifname "lo" ip6 saddr fd7a:115c:a1e0::c901:5a28 counter packets 0 bytes 0 accept
iifname "tailscale0" counter packets 0 bytes 0 accept
udp dport 41641 counter packets 0 bytes 0 accept
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 meta mark set mark and 0xff00ffff xor 0x40000
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 jump ts-input
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump ts-forward
}
}
table ip6 nat {
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 126 bytes 9128 jump ts-postrouting
}
}
table inet qubes-nat-accel {
flowtable qubes-accel {
hook ingress priority filter
devices = { eth0, lo, tailscale0, vif10.0 }
}
chain qubes-accel {
type filter hook forward priority filter + 5; policy accept;
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
counter packets 501 bytes 32302
}
}
Yes.
Run these commands in the sys-tailscale qube to enable firewall rules logging:
sudo nft insert rule ip nat ts-postrouting log
sudo nft insert rule ip filter ts-forward log
sudo nft add rule ip filter ts-forward log
sudo nft add rule ip qubes custom-forward ct state invalid log
sudo nft add rule ip qubes custom-input ct state invalid log
Then run this command in the sys-tailscale qube to show the logs:
sudo journalctl -f -n0
Then ping some IP address in the qube connected to sys-tailscale.
Post the log output.
Here’s the log output (ping gnu.org):
Oct 26 18:13:08 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=252 PROTO=TCP SPT=53 DPT=33492 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:08 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=46196 DF PROTO=TCP SPT=33492 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=18271 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC= SRC=10.137.0.11 DST=10.139.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=18271 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=34534 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC= SRC=10.137.0.11 DST=100.100.100.100 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=34534 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18847 PROTO=TCP SPT=53 DPT=36994 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:11 sys-tailscale tailscaled[4092]: [RATELIMIT] format("open-conn-track: flow %v %v > %v rejected due to %v") (9 dropped)
Oct 26 18:13:11 sys-tailscale tailscaled[4092]: open-conn-track: flow TCP 100.126.90.40:45618 > 10.139.1.1:53 rejected due to acl
Oct 26 18:13:11 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=5900 PROTO=TCP SPT=53 DPT=58668 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:11 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=17655 PROTO=TCP SPT=53 DPT=58652 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:12 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=65232 PROTO=TCP SPT=53 DPT=36994 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:12 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34535 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:12 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18272 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:12 sys-tailscale tailscaled[4092]: open-conn-track: flow TCP 100.126.90.40:45618 > 10.139.1.1:53 rejected due to acl
Oct 26 18:13:12 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=30539 PROTO=TCP SPT=53 DPT=41708 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:12 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=37870 PROTO=TCP SPT=53 DPT=41714 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:13 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18273 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:13 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34536 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:13 sys-tailscale tailscaled[4092]: open-conn-track: flow TCP 100.126.90.40:45618 > 10.139.1.1:53 rejected due to acl
Oct 26 18:13:14 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44743 PROTO=TCP SPT=53 DPT=36994 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:14 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34537 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:14 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18274 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:14 sys-tailscale tailscaled[4092]: open-conn-track: flow TCP 100.126.90.40:45618 > 10.139.1.1:53 rejected due to acl
Oct 26 18:13:15 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18275 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:15 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34538 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:15 sys-tailscale tailscaled[4092]: open-conn-track: flow TCP 100.126.90.40:45618 > 10.139.1.1:53 rejected due to acl
Oct 26 18:13:15 sys-tailscale tailscaled[4092]: [RATELIMIT] format("open-conn-track: flow %v %v > %v rejected due to %v")
Oct 26 18:13:16 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=25868 PROTO=TCP SPT=53 DPT=33492 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:16 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34539 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:16 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18276 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:16 sys-tailscale kernel: IN= OUT=eth0 SRC=10.137.0.8 DST=10.138.36.98 LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=3159 DF PROTO=UDP SPT=54088 DPT=5351 LEN=10 MARK=0x80000
Oct 26 18:13:16 sys-tailscale kernel: IN= OUT=eth0 SRC=10.137.0.8 DST=10.138.36.98 LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=3160 DF PROTO=UDP SPT=35283 DPT=5351 LEN=10 MARK=0x80000
Oct 26 18:13:16 sys-tailscale kernel: IN= OUT=eth0 SRC=10.137.0.8 DST=10.138.36.98 LEN=122 TOS=0x00 PREC=0x00 TTL=64 ID=3163 DF PROTO=UDP SPT=35283 DPT=1900 LEN=102 MARK=0x80000
Oct 26 18:13:16 sys-tailscale kernel: IN= OUT=eth0 SRC=10.137.0.8 DST=239.255.255.250 LEN=122 TOS=0x00 PREC=0x00 TTL=1 ID=27628 DF PROTO=UDP SPT=35283 DPT=1900 LEN=102 MARK=0x80000
Oct 26 18:13:18 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=4494 PROTO=TCP SPT=53 DPT=36994 WINDOW=24576 RES=0x00 ACK SYN URGP=0
Oct 26 18:13:18 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=10.139.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=18277 DF PROTO=TCP SPT=45618 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:13:18 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=34540 DF PROTO=TCP SPT=36994 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Another log output (ping 8.8.8.8)
Oct 26 18:49:37 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=5491 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=1
Oct 26 18:49:37 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC= SRC=10.137.0.11 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=5491 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=1
Oct 26 18:49:37 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=8.8.8.8 DST=10.137.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=116 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=1
Oct 26 18:49:37 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=26098 DF PROTO=TCP SPT=41744 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:49:37 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=35606 DF PROTO=TCP SPT=41748 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:49:38 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=5797 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=2
Oct 26 18:49:38 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=8.8.8.8 DST=10.137.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=116 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=2
Oct 26 18:49:38 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=35607 DF PROTO=TCP SPT=41748 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:49:38 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=26099 DF PROTO=TCP SPT=41744 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:49:39 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=6718 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=3
Oct 26 18:49:39 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=8.8.8.8 DST=10.137.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=116 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=3
Oct 26 18:49:40 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=50253 PROTO=TCP SPT=53 DPT=41748 WINDOW=24576
RES=0x00 ACK SYN URGP=0
Oct 26 18:49:40 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=100.100.100.100 DST=10.137.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=58220 PROTO=TCP SPT=53 DPT=41744 WINDOW=24576
RES=0x00 ACK SYN URGP=0
Oct 26 18:49:40 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=6867 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=4
Oct 26 18:49:40 sys-tailscale kernel: IN=tailscale0 OUT=tailscale0 MAC= SRC=8.8.8.8 DST=10.137.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=116 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=4
Oct 26 18:49:40 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=26100 DF PROTO=TCP SPT=41744 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 26 18:49:40 sys-tailscale kernel: IN=vif10.0 OUT=tailscale0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:00:08:00 SRC=10.137.0.11 DST=100.100.100.100 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=35608 DF PROTO=TCP SPT=41748 DPT=53 WINDOW=64240 RES=0x00 SYN URGP=0
Run this command in sys-tailscale and try to ping 8.8.8.8 in the qube connected to sys-tailscale:
sudo ip rule add from all lookup main suppress_prefixlength 0
1 Like
This did it! Thank you so much!