Community discussions

MikroTik App
 
vovan700i
newbie
Topic Author
Posts: 48
Joined: Wed Jun 06, 2012 8:34 am

Tailscale container: iptables not working

Thu Dec 28, 2023 2:01 pm

Hi,

I’m trying to run an official Tailscale container. The Tailscale software works correct, but in order to enable proper forwarding it tries to create a firewall rule inside the container and fails.

Command:
iptables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 --wait
Error:
exit status 1: iptables: Invalid argument. Run `dmesg' for more information
Output of iptables -S when the container is running:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ts-forward
-N ts-input
-A INPUT -j ts-input
-A FORWARD -j ts-forward
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
-A ts-input -i tailscale0 -j ACCEPT
Unfortunately, dmesg can't be run inside the container (forbidden?). Although xt_mark is listed as a loaded kernel module by lsmod command, the system seems to lack packet marking capability.

Critical environment variables: I reported the problem to MikroTik support (SUP-138792) and received the following answer:
Currently, there are no available iptables for third-party code. We will explore possible solutions if we receive similar requests from our clients. We are sorry for the inconvenience caused.
For all those users who are interested in Tailscale and other containers using iptables, please, submit your requests via the support portal.
 
dimmuboy
just joined
Posts: 1
Joined: Thu Mar 28, 2024 10:03 pm

Re: Tailscale container: iptables not working

Thu Mar 28, 2024 10:06 pm

I'm dealing with the same problem with https://github.com/Fluent-networks/tailscale-mikrotik
Were you lucky with yours?
 
vovan700i
newbie
Topic Author
Posts: 48
Joined: Wed Jun 06, 2012 8:34 am

Re: Tailscale container: iptables not working

Tue Apr 02, 2024 2:32 pm

Were you lucky with yours?
As mentioned above, I approached the support and received a confirmation of this issue. You may also submit a new ticket and tell them you are interested in allowing iptables inside containers as well.
 
artooro
just joined
Posts: 3
Joined: Fri Aug 04, 2023 7:46 pm

Re: Tailscale container: iptables not working

Wed May 15, 2024 6:37 pm

Did you get a response from Microtik on the request to have an option to allow access to iptables / nftables from containers?
 
vovan700i
newbie
Topic Author
Posts: 48
Joined: Wed Jun 06, 2012 8:34 am

Re: Tailscale container: iptables not working

Sat May 18, 2024 9:10 pm

Did you get a response from Microtik on the request to have an option to allow access to iptables / nftables from containers?
Actually, iptables / nftables rules are partially allowed in containers. E.g. you can use basic filter and nat rules. However, MikroTik never disclosed what is allowed and what is forbidden, they seem to be unwilling to do it.

The problem with Tailscale is that it requires packet marking to work properly, i.e. -j MARK of iptables / nftables, and RouterOS kernel seems to limit this functionality in containers for some reason, or it may even lack standard marking module from Linux and use its own custom module for similar purposes.

Who is online

Users browsing this forum: No registered users and 0 guests