Unable to ping Tailscale Advertised subnets

Hello,
I am currently testing a Tailscale Client on a GL.inet AXT1800 router running Openwrt v21.03. I have encountered an issue where I am unable to ping Tailscale advertised subnets from a DHCP connected Windows 10 however, from the Openwrt command line, I can ping all Tailscale advertised subnets. There appears to be a routing issue between the DHCP Windows 10 PC and Openwrt; can someone assist?, many thanks in advance.

Welcome to the community!

Can we see your network and firewall configs?

cat /etc/config/network
cat /etc/config/firewall

Hi @ lleachii,
Thanks for the prompt reply, please find below the output from both files:

**root@GL-AXT1800:~# cat /etc/config/network**
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fef6:f3e8:fd67::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr '96:74:d7:20:bb:e2'

config device
        option name 'eth2'
        option macaddr '96:74:d7:20:bb:f2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option ipaddr '172.16.10.1'

config device
        option name 'eth0'
        option macaddr '96:74:d7:20:bb:e2'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname '@wan'
        option disabled '1'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '0'

config interface 'tethering6'
        option ifname '@tethering'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'wwan6'
        option ifname '@wwan'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option ipaddr '10.20.10.100'
        option netmask '255.255.255.0'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

config rule 'policy_bypass_vpn'
        option mark '0x60000/0x60000'
        option lookup '53'
        option priority '53'

config rule 'policy_via_vpn'
        option mark '0x80000/0x80000'
        option lookup '52'
        option priority '52'

config rule 'policy_dns'
        option mark '0x100000/0x100000'
        option lookup '51'
        option priority '51'

config interface 'tethering'
        option proto 'dhcp'
        option ifname 'eth3'
        option metric '30'


**root@GL-AXT1800:~# cat /etc/config/firewall**
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'tethering'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config zone
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x80000/0x80000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/0x80000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option enabled '0'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-+'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '127 228 169 487'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 188 176 555'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config rule 'glnas_ser'
        option src 'wan'
        option dest_port '6000-6002'
        option dest_proto 'tcp'
        option target 'DROP'

config rule 'webdav_wan'
        option src 'wan'
        option dest_port '6008'
        option dest_proto 'tcp'
        option target 'ACCEPT'




Thank you.

I guess you're missing the reverse route [to your LAN subnet] at the destination network. Nothing to do with your OpenWrt router.

Hi @AndrewZ,

I would of thought that when you invoke a ping on a DHCP Client, the gateway in my case is the OpenWrt Router would handle the request and provide an echo reply. What is the process for adding a reverse route?, thank you.

Hi @ lleachii,

Just to provide you more information; please find below the issue I am having:

From my DHCP connected client (Windows 10):
Pinging 192.168.10.125 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

From the OpenWrt CLI:
root@GL-AXT1800:~# ping 192.168.10.125
PING 192.168.10.125 (192.168.10.125): 56 data bytes
64 bytes from 192.168.10.125: seq=0 ttl=64 time=126.535 ms
64 bytes from 192.168.10.125: seq=1 ttl=64 time=86.916 ms
64 bytes from 192.168.10.125: seq=2 ttl=64 time=35.982 ms

I would of thought that the pings would work on Windows 10 given the OpenWrt device being the gateway; your thoughts?, thank you.