All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Route an outgoing connection request to a specific IP (or interface)
I was using Tailscale in my corporate network and it was working well, until I realized one the portals I need for work is in the same private IP space as the Tailscale network (100.x.x.x). With Tailscale installed, I can't access that portal. Right now Tailscale doesn't have an on/off switch for Linux (perhaps the systemd service could work), but I'm not sure if during the install it messes with iptables or any firewall rules.
So, I'd like to ask for help from people that know how to set up rules on iptables or ufw for me to set up a rule to route a request to that IP from the portal to the corporate network interface of the device.
So here is a bad diagram on how it is right now and how I want it to be:
Before Tailscale
Corporate portal (100.x.x.x) ---->> Corporate network interface
With Tailscale
Corporate portal (100.x.x.x) ---->> Tailscale (100.x.x.x) ---->> Does not resolve
Solution
Corporate portal (100.x.x.x) ---->> Firewall (route) ---->> Corporate network interface
Any other 100.x.x.x ---->> Tailscale
As far as I checked, this is the only portal on this private IP space. But If I learn how to make that route and I find out other portals, I can simply do the same route 1 by 1 (I don't mind actually).
Thank you!
Comments
That seems more like a job for
ip route add 100.x.x.x/32 via 100.y.y.1 dev corp0
than for iptables. May need to set the metric to ensure it appears correctly in route table.How would I do that last part?
ip route add 100.x.x.x/32 via 100.y.y.1 dev corp0 metric 2
where 2 is a number that places it above the conflicting route you want to avoid.Installed the program again, but I couldn't find any routes related to Tailscale. Tried adding a route myself (not sure if I did it right), but didn't work.
ip route add 100.x.x.x/32 via 172.x.x.1 dev corp0
100.x.x.x/32
being the portal IP and172.x.x.1
being the subnet IP from my corporate network.Don't know anything about tailscale but I would guess it must add a route. Maybe via a bridge or something. Hard to say exactly what to do without knowing more about your setup. Try just routing via the corp network interface without specifying gateway. Try with and without specifying your corp IP as src.
ip route add 100.x.x.x/32 dev corp0 scope link src 100.x.x.y
Tried both and nothing happened.
I found this are the rules it creates on iptables after being installed. I'm not very good with it, so I can partially understand. I mostly use ufw myself (which is also installed).
These two drop rules are what perhaps maybe the issue. This subnet this rules are dropping include the IP I'm trying to access.
There are other rules regarding tailscale, but those others are mostly for accept on 0.0.0.0/0 so I didn't put those.
Try removing them temporarily?
Do
ip route
and redact the public IPs.I removed both rules and it worked out. I was able to ping my phone in the tailscale network. I'm only concerning if there is any implication on that, as they should have some reason to put those rules there in the first place.
They would be designed to stop traffic leaking in/out from other interfaces. You can add them back and prefix with an ACCEPT to the particular IP address.
Sorry for bothering you once more. How would that rule look like? I have no idea how to write rules for iptables.
Something like this:
iptables -n filter -I ts-input 1 -s 100.x.x.x/32 -j ACCEPT
where 100.x.x.x is the IP address (or CIDR range) on the corporate network that you want to accept traffic from. From the looks of it you might not need one in the other chain, but in case, it would be something like:
iptables -n filter -I ts-forward 1 -d 100.x.x.x/32 -j ACCEPT
where IP address is same as above.