Tailscale is unable to connect to the specified port. #569

New Issue

adam · 2025-12-29T02:20:37+01:00

adam commented

2025-12-29 02:20:37 +01:00

Originally created by @MilkTeaNo7 on GitHub (Oct 17, 2023).

Problem

Two servers in the same network have IP addresses in the 10.64.0.0 network segment:
- A's IP address: 10.64.0.4
- B's IP address: 10.64.0.8
Accessing Server A, you can access port 22. I am SSHing to this server through the VPN address分配.
However, I cannot communicate on other ports of Server A.
It has been checked that it is not an issue with ACL.
Port is in listening state as checked by ss -tlnp.
Firewall is in off state.

Firewall Information

root@GW:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N ts-forward
-N ts-input
-A INPUT -j ts-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-3d85304bf031 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-3d85304bf031 -j DOCKER
-A FORWARD -i br-3d85304bf031 ! -o br-3d85304bf031 -j ACCEPT
-A FORWARD -i br-3d85304bf031 -o br-3d85304bf031 -j ACCEPT
-A FORWARD -o br-5aa183c725da -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5aa183c725da -j DOCKER
-A FORWARD -i br-5aa183c725da ! -o br-5aa183c725da -j ACCEPT
-A FORWARD -i br-5aa183c725da -o br-5aa183c725da -j ACCEPT
-A FORWARD -j ts-forward
-A DOCKER -d 172.19.0.2/32 ! -i br-5aa183c725da -o br-5aa183c725da -p tcp -m tcp --dport 23479 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-5aa183c725da -o br-5aa183c725da -p udp -m udp --dport 3478 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-3d85304bf031 -o br-3d85304bf031 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-3d85304bf031 ! -o br-3d85304bf031 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5aa183c725da ! -o br-5aa183c725da -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-3d85304bf031 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5aa183c725da -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.64.0.4/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN

Originally created by @MilkTeaNo7 on GitHub (Oct 17, 2023). # Problem 1. Two servers in the same network have IP addresses in the 10.64.0.0 network segment: - A's IP address: 10.64.0.4 - B's IP address: 10.64.0.8 2. Accessing Server A, you can access port 22. I am SSHing to this server through the VPN address分配. 3. However, I cannot communicate on other ports of Server A. 4. It has been checked that it is not an issue with ACL. 5. Port is in listening state as checked by ss -tlnp. 6. Firewall is in off state. # Firewall Information ``` root@GW:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N ts-forward -N ts-input -A INPUT -j ts-input -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-3d85304bf031 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-3d85304bf031 -j DOCKER -A FORWARD -i br-3d85304bf031 ! -o br-3d85304bf031 -j ACCEPT -A FORWARD -i br-3d85304bf031 -o br-3d85304bf031 -j ACCEPT -A FORWARD -o br-5aa183c725da -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-5aa183c725da -j DOCKER -A FORWARD -i br-5aa183c725da ! -o br-5aa183c725da -j ACCEPT -A FORWARD -i br-5aa183c725da -o br-5aa183c725da -j ACCEPT -A FORWARD -j ts-forward -A DOCKER -d 172.19.0.2/32 ! -i br-5aa183c725da -o br-5aa183c725da -p tcp -m tcp --dport 23479 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT -A DOCKER -d 172.19.0.2/32 ! -i br-5aa183c725da -o br-5aa183c725da -p udp -m udp --dport 3478 -j ACCEPT -A DOCKER -d 172.18.0.3/32 ! -i br-3d85304bf031 -o br-3d85304bf031 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-3d85304bf031 ! -o br-3d85304bf031 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-5aa183c725da ! -o br-5aa183c725da -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-3d85304bf031 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-5aa183c725da -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000 -A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT -A ts-forward -o tailscale0 -j ACCEPT -A ts-input -s 100.64.0.4/32 -i lo -j ACCEPT -A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN ```

adam added the bug label 2025-12-29 02:20:37 +01:00

adam closed this issue

2025-12-29 02:20:37 +01:00

adam commented

2025-12-29 02:20:38 +01:00

@kyhwana commented on GitHub (Oct 17, 2023):

Do you have ANY ACLs set? If so, try removing them all and see what happens.

@kyhwana commented on GitHub (Oct 17, 2023): Do you have ANY ACLs set? If so, try removing them all and see what happens.

adam commented

2025-12-29 02:20:38 +01:00

@MilkTeaNo7 commented on GitHub (Nov 12, 2023):

Do you have ANY ACLs set? If so, try removing them all and see what happens.

It's been too long, I don't know how he is now, but he seems to be fine now

@MilkTeaNo7 commented on GitHub (Nov 12, 2023): > Do you have ANY ACLs set? If so, try removing them all and see what happens. It's been too long, I don't know how he is now, but he seems to be fine now

adam referenced this issue

2025-12-29 02:30:15 +01:00

[PR #569] [MERGED] Command for moving nodes between namespaces #1488

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#569