Tailscale subnet 中的设备单独加入 tailnet 之后,该设备无法通过原局域网 IP 访问

119 天前
 lnbiuc

配置

A 设备 IP 为 10.115.15.1 ,安装 tailscale ,启用--advice-router=10.115.15.0/24

B 设备 IP 为 10.115.15.25 ,安装 tailscale ,不启用--accept-router

C 设备不在局域网 10.115.15.0/24 中,安装 tailscale ,启用--accept-router

存在的问题:

如果 B 设备 IP 为 10.115.15.25 启用了--accept-router ,10.115.15.0/24 中的设备不能通过 10.115.15.25 访问

需求

不在 10.115.15.0/24 的设备,启用了--accept-router 的设备,可以通过 10.115.15.25 访问该设备

HELP ! HELP ! HELP ! 请求大佬帮助

补充信息

自建了 Derper 并屏蔽了官方 Derper ,使用官方面板

启用了 ACL ,但是我测试过,关闭 ACL 仍然与上述现象描述一致

// Example/default ACLs for unrestricted connections.
{
	// Declare static groups of users. Use autogroups for all users or users with a specific role.
	// "groups": {
	//  	"group:example": ["alice@example.com", "bob@example.com"],
	// },

	// Define the tags which can be applied to devices and by which users.
	"tagOwners": {
		"tag:home-pc":     ["autogroup:admin"],
		"tag:home-server": ["autogroup:admin"],
		"tag:work-pc":     ["autogroup:admin"],
		"tag:game-server": ["autogroup:admin"],
		"tag:game-player": ["autogroup:admin"],
		"tag:relay-node":  ["autogroup:admin"],
		"tag:out-user":    ["autogroup:admin"],
	},

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		// {"action": "accept", "src": ["*"], "dst": ["*:*"]},
		// 允许 out-user 之间全互联
		{
			"action": "accept",
			"src":    ["tag:out-user"],
			"dst":    ["tag:out-user:*"],
		},
		// 允许 out-user 和 game-server 互相访问
		{
			"action": "accept",
			"src":    ["tag:out-user"],
			"dst":    ["tag:game-server:*"],
		},
		{
			"action": "accept",
			"src":    ["tag:game-server"],
			"dst":    ["tag:out-user:*"],
		},
		// 允许 home-pc 和 out-user 互相访问
		{
			"action": "accept",
			"src":    ["tag:home-pc"],
			"dst":    ["tag:out-user:*"],
		},
		{
			"action": "accept",
			"src":    ["tag:out-user"],
			"dst":    ["tag:home-pc:*"],
		},
		// 允许其他 tag 之间全互联
		{
			"action": "accept",
			"src": [
				"tag:home-pc",
				"tag:home-server",
				"tag:work-pc",
				"tag:game-server",
				"tag:game-player",
				"tag:relay-node",
			],
			"dst": ["*:*"],
		},
	],


	// Define users and devices that can use Tailscale SSH.
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],

	"derpMap": {
		// OmitDefaultRegions 用来忽略官方的中继节点
		"OmitDefaultRegions": true,
		"Regions": {
			"905": {
				"RegionID":   905,
				"RegionCode": "cd",
				"RegionName": "",
				"Nodes": [
					{
						"Name":     "905",
						"RegionID": 905,
						"HostName": "",
						"DERPPort": ,
						"STUNPort": ,
					},
				],
			},
		},
	},
}
1012 次点击
所在节点    OpenWrt
2 条回复
lnbiuc
119 天前
自己回下自己,OpenWRT 防火墙开启 Lan => Tailscale 的 IP 动态伪装即可解决问题
问题解决了,但是没明白原理,还是希望有大佬解答下
![image.png]( https://cdn.violet.vin/v2/DIJkbfr.png)
mrxia
119 天前
https://tailscale.com/kb/1023/troubleshooting#lan-traffic-prioritization-with-overlapping-subnet-routes
试试这个

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1131080

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX