ACL for 4via6 subnet router CIDR
unixfox opened this issue · 2 comments
Hello,
I'm using the 4via6 subnet router functionality like described here: https://tailscale.com/kb/1201/4via6-subnets
I allowed the 4via6 ipv6 CIDR range in my ACL:
"acls": [
{
"action": "accept",
"src": [
"tag:trusted"
],
"dst": [
"fd7a:115c:a1e0:b1a::c0a8:100/120:*"
]
},
]
Also advertised the route on the machine. I got the ipv6 subnet using tailscale debug via 1 192.168.1.0/24
.
I validated that it works because I made it worked the same way on www.tailscale.com
But unfortunately, it doesn't work with ionscale. I can't reach the ipv6 address.
Here are the logs from tailscaled:
jan 14 23:39:58 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:39:59 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:40:07 pcryzen tailscaled[24447]: magicsock: disco: node [iNgd5] d:d4d20a6e15dcff25 now using 192.168.1.145:41641 mtu=1360 tx=349b97a7133a
jan 14 23:40:07 pcryzen tailscaled[24447]: Accept: TCP{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 > [fd7a:115c:a1e0:b1a::c0a8:101]:80} 80 ok out
jan 14 23:40:12 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=5s
jan 14 23:40:13 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=6s
I'm only being able to reach the ipv6 address when manually defining the host in the ACL policy like this:
"hosts": {
"myrouter": "fd7a:115c:a1e0:b1a::c0a8:101/128",
},
"acls": [
{
"action": "accept",
"src": [
"tag:trusted"
],
"dst": [
"myrouter:*"
]
},
]
Would it be possible to add the support for this functionality in the ACL? Thank you.
Headscale related issues:
I can also replicate the issue with any real ipv6 range shared using subnet router (not 4via6):
tailscale set --advertise-routes fd42::/48
$ curl http://[fd42:0:0:6::c64]
jan 15 09:54:55 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=9s
jan 15 09:54:56 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=10s
jan 15 09:54:58 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=12s
jan 15 09:55:02 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=2s
jan 15 09:55:14 pcryzen tailscaled[1030]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:59872 => [fd42:0:0:6::c64]:80) to node [KQwao]; online=yes, lastRecv=3s