PBR and Tailscale: Failed to set up 'TsIntDxb/tailscale0/IP'! Unknown Error!

I set up a Tailscale machine remotely and I am connecting to it via OpenWRT at home.

I would like to set up PBR, to use Tailscale only with some services, however, even if Tailscale works perfectly, I get the below error when running PBR:

"Failed to set up 'TsIntDxb/tailscale0/REMOTE_IP'!
Unknown Error!"

(I edited the real IP inserting "REMOTE_IP")

I tried to add the name of the Tailscale interface to PBR, but it does not work. Is there anything else I shall do?

I see that the route are these:

I should set that the bold is 192.168.2.0/24 and not 192.168.0.1/24, am I correct?

root@OpenWrt:~# ip route show table all
default via 192.168.70.254 dev wan table pbr_wan
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
192.168.1.0/24 dev br-lan table pbr_TsIntDxb proto kernel scope link src 192.168.1.1
default via 192.168.2.1 dev br-at table pbr_intat
192.168.1.0/24 dev br-lan table pbr_intat proto kernel scope link src 192.168.1.1
default dev tailscale0 table 52

Ideally, send PR for Tailscale support within pbr.

This is what I would like to do, but when I install PBR, I get that it can't read the interface.

I get this error:
"Failed to set up 'TsIntDxb/tailscale0/REMOTE_IP'!
Unknown Error!"

(I edited the real IP inserting "REMOTE_IP")

Seems to work just fine out of the box.

Setting up routing for 'tailscale/tailscale0/100.67.172.145' [✓]
Routing 'SSH' via tailscale [✓]
1 Like

I found the issue... when I set the tailscale, I added the IP of the server, but I put the wrong net mask. I set 255.255.255.0 instead of 255.255.255.255

Now it's fine, but even if PBR recognizes it and states the WAN as default route, I am browsing not via wan, but via Tailscale. I have to set the gateway metric to modify this behaviour, but when I reboot, I have the same issue.

I am not clear why... Is there something wrong in the configuration?

Network:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'EDIT'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option metric '50'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-at'
        list ports 'wlan1-1'

config device
        option type 'bridge'
        option name 'br-it'
        list ports 'wlan1-2'

config device
        option type 'bridge'
        option name 'br-ch'
        list ports 'wlan1-3'

config device
        option type 'bridge'
        option name 'br-uk'
        list ports 'wlan1-4'

config interface 'TsIntDxb'
        option proto 'static'
        option device 'tailscale0'
        option ipaddr 'EDIT'
        option force_link '0'
        option defaultroute '0'
        option netmask '255.255.255.255'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option metric '100'

config device
        option type 'bridge'
        option name 'br-nl'
        list ports 'wlan1-5'

config interface 'intat'
        option proto 'static'
        option device 'br-at'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'wg0nl'
        option proto 'wireguard'
        option private_key 'EDIT'
        list addresses '10.66.60.2/32'
        list addresses 'fd42:41:41::2/128'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config wireguard_wg0nl
        option description 'Wg0NLServer'
        option public_key 'EDIT'
        option preshared_key 'EDIT'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '0'
        option endpoint_host 'EDIT'
        option endpoint_port '8500'
        option persistent_keepalive '25'

config interface 'intnl'
        option proto 'static'
        option device 'br-nl'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option metric '100'

root@OpenWrt:~#

I think is a matter of routes, but I can't figure it out what is the problem:

Which route shall I add to ensure that Lan (192.168.1.1/24) will be routed via WAN and that 192.168.2.1/24 will go via Tailscale?

I also have a Wireguard interface 192.168.3.1/24, I am not sure how can they cohexist.

Does someone know how to help me ? :slight_smile:

root@OpenWrt:~# ip route show table all
default via 192.168.1.1 dev br-lan table pbr_lan
default via 192.168.70.254 dev wan table pbr_wan
default via EDIT dev tailscale0 table pbr_TsIntDxb
default via 192.168.2.1 dev br-at table pbr_intat
default via 10.66.60.2 dev wg0nl table pbr_wg0nl
default via 192.168.3.1 dev br-nl table pbr_intnl
default dev tailscale0 table 52
EDIT dev tailscale0 table 52
EDIT dev tailscale0 table 52
EDIT dev tailscale0 table 52
throw 127.0.0.0/8 table 52
throw 192.168.1.0/24 table 52
throw 192.168.2.0/23 table 52
192.168.20.0/24 dev tailscale0 table 52
throw 192.168.70.0/24 table 52
default via EDIT dev tailscale0 table pbr_at
default via 192.168.70.254 dev wan proto static src 192.168.70.64
EDIT dev tailscale0 proto static scope link metric 20
EDIT via 192.168.70.254 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-at proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-nl proto kernel scope link src 192.168.3.1
192.168.70.0/24 dev wan proto kernel scope link src 192.168.70.64

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.