Hi, I have a RPi 4 running openwrt. I have it set up successfully as a full tunnel following the official guide
This way ALL of the lan's traffic gets redirected to the exit node, but that isnt necessary/desired for me. My problem is that my WAN blocks everything but ports 80 and 443(even the NTP servers...), so right now whenever i need a service on a different port(from a device that cant run tailscale) i turn on the exit node on the router and disable it when i'm done, which is incredibly annoying.
Is there a way to only route some ports(in my case everything but 80 and 443) to the tailscale exit node and everything else directly to wan? I'd be also happy with routing ALL the traffic from a SINGLE ip(the one that cannot run tailscale directly) to the exit node and the rest to wan.
I tried messing around with routing and firewall but it's one of the few areas of IT that i cant understand for the life of me. My main problem is i cant find all the specific lines in all configuration files that change when i run tailscale up --exit-node-allow-lan-access --exit-node <name> so i cant figure out what to manually replicate/modify for my "custom" exit node needs.
In a default configuration the kernel routes packets based on their destination IP not their source. What you want is source-based routing, which is typically done with the pbr package.
I was messing around with pbr but i couldnt get it to work as i wanted(wan default, pbr only for some dports). I'm guessing it's because without telling tailscale to use an exit node, all traffic sent by pbr to the tailscale0 iface doesnt know where to go. But i have no idea how to make tailscale0 send the traffic to the exit node without hijacking all the other traffic too(default exit node behaviour).
I could only figure out a partial solution, basically the opposite. I have the router connected to the exit node, and the working ports(53, 80, 443) are routed to wan with pbr. The key was setting the pbr.config.wan_rule_priority to 1000 to overrule the tailscale rules.
The only real problem(apart from the unnecessary firewall work and shoddiness) is that for some reason all traffic coming from the router itself doesnt follow pbr, and goes all through tailscale. It isnt a big deal since the only local traffic is opkg but it still irks me.
I'm gonna keep look into it now that i have time, if you have any suggestions they'd be greatly appreciated.
