Hi, i was wondering,
Do nat punching softwares such as tailscale require kernel update and thus ROS update,
or can we configure mikrotik to allow tailscale ?
I can’t seem to get tailscale working on my office machine which only use these rules :
any thoughts?
Is the public IP directly on that Mikrotik, or is there another NAT between that Mikrotik and the internet?
The whole NAT punching idea depends on a predictable behavior of the NAT. The UDP port used by the device on the private address must be preserved, which the Mikrotik’s firewall (linux netfilter) does when possible. Possible means that there is no other UDP connection to the same remote address and port from the same public address of the NAT, which is usually the case if the remote port is not a frequently used one. Hence each of the two peers must learn the port the other one will use for the connection and its public address. The helper server (teredo server, tailscale server) must listen on a public IP address, and facilitates detection of the public IPs, pairing the peers, and delivery of the connection information to the peers. So if e. g. the traffic from peer A to the helper server gets src-nated to another public IP than the traffic to peer B’s public IP, the NAT punching will fail, because peer B will get a wrong public address of peer A from the helper server.
I was experimenting with this (without tailscale as I could choose the ports myself and use dynamic DNS to learn the public IPs), and found that mobile operators do not keep the port, rendering the whole idea unusable.
The public ip should be detected on the mikrotik, but the dialing is done on the modem.
Thanks for the detailed explanation.
I decided to separate the network for tailscale remote-ing with the ones for mikrotik..
It’s the only solution for me now i guess.
Is this decision based on a successful experiment? I don’t get why the Mikrotik’s NAT should cause the problem, that’s why I’ve asked whether it has the public IP on itself. Even several stacked NATs are not a problem if all of them keep the local port unchanged; a single NAT which doesn’t is sufficient to break the idea.
Sorry, I did not understand at all what you mean by public IP being “detected” at the Mikrotik and “dialing” to be done on the modem. Either the public IP is assigned to the Mikrotik (by means of PPPoE, DHCP, or statically), or there is a NAT between the Mikrotik and the internet - in the modem, at the ISP core gear, or even at both places. If the public IP is not assigned directly to the Mikrotik, I’d suspect rather the other gear to spoil the show. BTW, some crazy ISPs assign public IPs to clients but NAT their traffic to other public NATs. So even the fact that your WAN address is a public one doesn’t necessarily mean that there is no other NAT between your WAN and the internet.