router 1 has subnet routes accepted. But it seems that doesnt work going out?
You need to adjust your ACLs to allow traffic over Tailscale.
On the router or on server 2?
For all traffic. Tailscale ACLs deny by default. If you’ve never changed them, you need to do that.
Does subnet only work for incoming not outgoing?
I’m not sure what you mean. You either need to post a lot more details and information about your setup, or you need to read and understand the Tailscale docs.
I have this set { “action”: “accept”, “src”: [“group:admin”], “dst”: [“:”], },
Can you ping server 1 from the subnet router?
Make sure to check if you have a firewall blocking ICMP packets on server 1 or somewhere between.
Maybe run traceroute from both serves and compare the route taken and where it stops.Thanks for this!
This is very related to the SNAT option for subnet routers on Tailscale. Though it’s enabled by default, I ran into issues with some services when I’d left it turned off by accident at one point.
In theory the “clean” way to do is to not use SNAT but then the network router needs to do some extra work to bridge the gap in the connection. Personally I was a dealing with a strict service on a device that wouldn’t accept regular non-SNAT traffic (the service was smart enough to say “no, I’m only running on 192.x.x.x and refuse to send traffic to Tailscale”).
Thanks will try
Do your access rules work in both directions? Do you have any strange routing going on? Do you need to configure a static route for the returning traffic?
Sorry, knowing very little about your setup means i can only suggest vague possibilities based on networks i work with.
Thanks! I’m not sure if that applied though because Tailscale should be very simple! I will try
