#Tailscale Subnet ping timed out

ive tried to ping my other connected device and resulted in timed out ping i dont think i have subnet set right looking for assistance

windows firewall blocks pings by default

i use kaspersky not windows firewall

though, just noticed thats tailscale ping and not regular ping, tailscale ping should work

well i originally had subnet as that

i tried 192.168.0.0/24

still cant tailscale ping times out

try /23 instead

also try running tailscale netcheck --verbose

and i think this routing issue is why i cant load my plex server through the plex app but can indirect load through browser

k what does this netcheck mumbo jumbo mean ?

im as green as they come to networking lol

see lots of stun packets and checks

it checks your connection health and connection to tailscales derp relay servers which are vital in establishing a connection between machines (connections are direct but they need some help from our servers to discover each other)

those results look fine

the other lines would only have been interesting if they failed but doesn't look it

what about the same on the other machine?

and try /23 for the subnet, using /24 can sometimes cause subnet overlap problems

now does it matter what ip/23 im putting?

like what ip am i supposed to put

did you try that on both machines?

well my other machine is iphone

...

wuhawk subnet is main device im not using not sure how to get rid of subnet tag for it

oh

on iphone if you hold your finger on a machine you can ping it, but there's no netcheck equivalent

how do i know it pinged

iphone only shows itself as machine

what client version? also can you check your acl policy under access control on the admin panel

hit ping but nothings happening

latest client versionm

not sure where its listed for version

we do staged rollouts so latest has several meanings :)

im brand new to tailscale

tap the profile icon and then About Tailscale

1.90.4

not sure about host pc windows 10

that one should be good

can you check access control tab on the admin panel?

if you don't understand it you can screenshot it and I'll try to work it out

1.90.6 for host machine

for the .json file?

the file or the visual editor, either works

would i be able to stream some how ?

ill just remove acl after so my email not on here forever

i notice the routes didnt update in acl its still using old subnet i originally set

but it also was in same problem

set it to the new subnet pinged iphone ip from host still times out

those grants are really restrictive and don't allow any machine to access anything

how i fix

my sole purpose is to open plex app on phone and it shows my librarys tunnels to my host machine routes traffic as my host machine

first of all, youll want to stop tagging everything, you shouldnt tag phones or computers, only headless servers

tagging a device removes its user identity which causes problems

if the tailnet is only controlled by you and you trust every device on it, you should start from scratch with grants that allow everything to access everything

aha but you have a group with multiple users, thats why you want to have them restricted. you shouldnt use tags for this though

i think i messed everything up lol

i deleted the acl file because it has emails in it but only after i used it to understand whats going on

the ssh, tagOwners, nodeAttrs and autoApprovers seem fine, but the grants section is wrong

this rule:

        {
            "src": ["group:PlexMedia"],
            "dst": ["tag:PlexUsers"],
            "ip":  ["tcp:32400", "*"],
        },```
isnt working because when you tagged your devices they removed the user identity tying them to the group, so the `group:PlexMedia` no longer matches anything

i removed all my devices except host machine

reauthed with phone but 2 addresses under host for somereason and now connecotr needs review

i kind of wanna start from scratch at this point lol

but i forget the commands i used

these users listed under group:PlexMedia, are they added in the Users section of the admin panel or did you share an individual machine with them? this will change what policy you should write

yes

yes to which one :D

also yes, starting from scratch sounds like a good idea because this policy is a bit of a mess and youve screwed with the state of the machines by tagging them

kkk let me remove all machines

also deleting because it contains peoples email addresses but thanks it sounds like theyre added as external users

which machine does plex run on?

kk

im in an issue i deleted all devices

but now wants to send link to email but fails to do so

do i gotta reinstall the app?

wdym by send link, you should be able to login on the website

screenshots would help

k i just needed to close re oppen tailscale to reauth

alright

for the grants, i would just do json "grants": [ { "src": ["[email protected]"], "dst": ["*"], "ip": ["*"], }, { "src": ["group:PlexMedia"], "dst": ["100.x.x.x.x"], "ip": ["tcp:32400"], }, ],
where [email protected] is your personal email address, 100.x.x.x.x is the tailscale ip of the machine that runs plex, and group:plexmedia is the same group from before

then as long as you dont tag anything, that gives your machines access to everything and the other users machines access only to plex

ughhh one sec its not putting my iphone as a machine

then if you want to give the other users access to an IP on the subnet router you can add that to dst and add protocols/ports to ip as needed

this might make more sense if you view it in the visual editor, im just working from the json provided

k sorry i was getting iphone back as a machine

kk json file

i gotta reset it to default how do i do that?

honestly everything except the grants section is fine so i wouldnt

just replace the grants block with a new one

well

uh

this app connector is kinda weird too

but like

it wont cause harm either

hang on

well the app connector i got it to work before services...

first time i got it to work so its on a different tag :/

try resetting it to this ```json
{
"grants": [
{
"src": ["[email protected]"],
"dst": [""],
"ip": [""],
},
{
"src": ["group:plexmedia"],
"dst": ["100.x.x.x.x"],
"ip": ["tcp:32400", "*"],
},
],

"ssh": [
    {
        "action": "check",
        "src":    ["autogroup:member"],
        "dst":    ["autogroup:self"],
        "users":  ["autogroup:nonroot", "root"],
    },
],

"groups": {
    "group:plexmedia": ["[email protected]", "[email protected]"],
},

}

and fill in the emails and the ip of the machine with plex

that app connector has "domains": ["100.64.208.135"],
which is never going to work, that isnt what app connectors do

so dst is the ipv4 of host machine right?

yeah

the tailscale ip starting with 100.

• is all ports protocols right?

yeah

you want that for your own devices, and would only want to restrict it for other users

and groups is at very bottom

its already listed as you put

yeah

what about tagowners and pre approv

or autoapprovers

as far as i can see you dont need tags

auto approvers is only needed for app connectors, which also dont seem necessary for this setup

you can add those later as you need them, better to start with a mostly blank slate

to get the service of plex to work it said i needed app connector...

where did you see that said?

k so il remove tags section

id have to remove app connector to ss it

you may need to add something for the subnet later too, but this can be worked out

k i deleted the tags section now i got error

whats the error

youre missing a ], at the end of the grants section

add it after the last }, under grants

youre missing ], after ssh block as well

need it here

json is not great to work with so once this is over you can use the visual editor instead

k i deleted the tags i put ] there but still error line 23 column 2 invalid charachter ' after object value

] needs , after it

comma tells it theres more afterwards

] closes the list

so drop a comma on the end of line 22

kk so now app connector needs a tag

you can remove the app connector for now

its invalid anyway, and doesnt provide any benefit

k

remove the whole nodeAttrs section so its like my small example

then if something doesnt work, can add things as needed from there

its removed

does it let you save now

kk this what it looks like now

great, but please do try not to keep sending email addresses in public messages

sorry

you should see ping working now, and can test other things and try setting up the subnet router

looks right for where we are at

so tailscale ping iphones ip?

that should work now

yes

k it is

great

direct connection not established

now test things like plex, and try advertising the subnet route

it says at end

that means your traffic is being relayed as some firewall or isp is preventing direct connections

subnet route being 192.168.0.0/23

?

connections will still work, just slow

or does the ip need to be more machine specific

yes

uh

sorry can i ask, why were you setting up the subnet router in the first place?

like did something say you needed it for plex

personally i didnt think i needed it ....

you might not

see when i first set up the service

it told me i needed app connector

and to have app connector i needed subnet routing

could i ask where you saw that was needed?

sec i got ss somewhere

i only ask because it sounds like you got quite confused down a rabbit hole of unneeded complexities and i'd like to know if theres anything we can do to stop people getting that impression in future
or if theres something extra i missed / didnt consider

re plex: can you try connecting to 100.91.232.49:32400 from plex, i believe it should work at this point assuming thats the tailnet ip of the machine running plex server

i cant find the ss :/

but basically

it started setting up the host

i typed the command that it told me to ...

and it just opened serve help list

from there i googled

and on google and from documentation app connector was mentioned

and i probably assumed service was listed ...

and that app needed to be setup for it to work through plex app

and then wound up the rabbit hole of app connector

and then got confused over 2 days

and then i finally figured right way to type the commands

because tailscale up dont work with setting subnets

which google and documentation says

i had to use tailscale set...

and the --advertise routes part

i had to ditch the -- before advertise

that doesnt sound right

but

okay

anyways been a 3 day struggle of mine

lets take it from the start

can you try connecting plex to 100.91.232.49:32400

k i gotta put that as the custom url in plex

sec

so for custom url it be http:/100.91.232.49:32400

yeah

well

two / after http:

http://100.91.232.49:32400

let me try restarting plex and try again

try http://100.91.232.49:32400 in a web browser too just to check

and try that same url in browser on the pc running plex as well, again just to check

this page isnt working right now

on all 3 devices

even the machine running plex?

and thats the ip of it?

http://127.0.0.1:32400/web/index.html#!/

is the working ip of plex

you may have to reconfigure plex to listen on the tailscale ip

that im not sure how to do

...

thats all i have for network settings

maybe i need to list the ips for auth?

preferred network interface should have done it...

only shows my nord vpn and my wifi

you restarted plex after reauthing tailscale right?

yeah i just restarted plex like 5 mins ago

but its never showed tailscale under that list

like for the 3 days ive been playing around with tailscale

hm, might be a plex issue

one sec

i know they making it so you have to pay to remote ....

but nord meshnet worked with out having to have remote pass or plex pass

when i heard about tailscale im like perfect its a tunnel same as meshnet

i have two different ideas

idea 1, try running tailscale serve --bg --tcp=32400 127.0.0.1:32400

then check it again with the tailscale ip

if that fails, idea 2, run
tailscale set --advertise-routes=192.168.50.156/32
then try accessing http://192.168.50.156:32400 from the other devices instead

k so i did first command

use the before browser link you gave me

btw based on that screenshot your network is 192.168.50.xxx, so the subnet route you advertised previously was never going to work since its the wrong subnet

(you were using 0 instead of 50)

well i had it 192.168.50.0

at the very begging

rabbit hole told me i did it wrong lol

you were misinformed

i tried 192.168.50.1 wouldnt let me

a lot, it seems

but when i dropped the 1 and put 0 it worked

anyway

k doing second command as webpage still isnt working now

that second command advertises just the ip address of your computer, not anything extra, so theres less chance for it to break or cause unwanted consequences

k it worked on phone

good

So I’d put that link to plex custom url ?

yes

to get your other users to access it youll also need to add "192.168.50.1/32" to the dst of your restricted grant

k so it works on phone with app

the library section shows up weird

but works

the only warning i will give is, this might break if your home router decides to change the local ip of your machine, if you have access to the router settings you can set a static local ip to fix this

and i don't know why it didnt work with the tailscale ip, it should have, but maybe this is part of plex cracking down on people bypassing their restrictions

k so grants bottom or top section

top

well

second entry, grants is at the top

here

like this

oh okay yeha bottom

lol

no, my bad for saying top and misleading you

thought you meant top of file

k

sooo static ip things

im not sure how often router changes ip ....

it might do it often or it might do it never, i dont know what to tell you there
you can always just wait until it breaks and fix it when it comes up

so my ipv4 on my pc ....

the 192.168.50.1

i never see that ip change

isnt it 192.168.50.156?

your pc is .156 not .1

and ip end they never change ip

thats what you needed to add to acl too

oh so it did change

your pc was never .1

.1 is your router

oh no sorry

my dumb ass

i think youll be fine

thats my default gateway

if it ever breaks, find the new ip (plex showed it on that network adapter dropdown), run tailscale set --advertise-routes=192.168.50.156/32 but with the new ip (instead of 156 itll be smth else), update the acl and the ip in plex apps and youre fine again

but itll probably be fine

you can also try setting a static ip in windows but depends whether your router accepts that

k i saved that msg to a note pad lol 😛

i personally wouldnt worry for now

i got asus bx788 or some shit

i can set static

if you can set static then do it

but like i said earlier im very very green to anything network

but well

static makes me less private doesnt it

?

as long as its the private ip thats static, it doesnt

this is very confusing territory because static public ip is a different but similarly named thing youll run into

yeah id have no clue how to set it up without downing my internet lol

• its not a tailscale thing really, and i have no experience with asus routers, so i cant help with step by step instructions there

like least i could do is ss the static ip section...

you could and i might be able to identity the right button

but i dont know how it all works for asus beyond that

if i can find where that static section is again

maybe its this https://www.asus.com/uk/support/faq/1000906/

this page says go to LAN > DHCP Server, enable this and then set the static values there

oh cool

so

wait, thats the wrong tab

go to DHCP Server, not route

you dont want to touch static routes, you might seriously break your network

welcome to networking btw, where we have multiple things with similar names that are completely different

lol so im learning...

okay so
firstly, do not touch anything under basic config or dns and wins server settings

under Manual assignment, set "Enable Manual Assignment" to "yes"

then check the dropdown under Client Name and see if your pc shows up

yup

select it from the list

k

then set IP address to 192.168.1.156

leave dns server and host name blank

auto set to that

k so i added hit apply

so its now listed there alongside the others?

yup

cool

youre set

i dunno why the others are there to begin with ...

i dont remember setting statics to themlol

i guess someone set them at some point

or maybe asus decided they need to be static for some reason

woulda been me ... probably "LEARNING"

lol

yeah or they were default

i dont remember doing it

it doesnt really matter anyway

setting devices with static local ips doesnt cause any harm

i appreciate this was more complicated than your last setup, but you should be good now. i think the tailscale ip not working may have been related to plex trying to force you down their path of remote access, which you successfully bypass using this static ip and subnet route

k so none of this should expose my network right?

nothing we covered in this thread would have, nope

yeah the only reason why i did this is i was originally using nords meshnet ... but apparently not enough users used it so they discontinuing it come december

so ive been desperatly trying to find an outlet

tried zerotier it sucked ass worked but lot of disconnect and slow

heard of cloudflare but they dont like streaming

ah yeah, we have seen a lot of people coming in from meshnet for the same reason

then tailscale came across my tik tok

and was like bro this is meshnet but more complicated but will work

then tiktok guy was like yeah you just install it and it auto picks up the service will just work

and then i ran down my rabbit hole

and here we are working

so thank you very much 😄

for most services its true that its automatic, but plex makes things intentionally difficult because they dont want you to do this

so now when i add say my tv i just connect to my tailscale and it should work

dont need to tag or do anything to it

just connect and it should work yeah

or my other user being my sister

other users should work too

k perfect

thank you so much 😄

❤️

no problem

i will go back to cursing plex for making my job more difficult 😆

wish google didnt bring me down the rabbit hole :/ lol

i dunno why i didnt just look up tailscale discord

this was honestly my last resort i tried hard to do it myself

lol

sadly a lot of stuff on google and other search engines these days is powered by AI tech which has trouble understanding nuances of specific products and can lead people down the wrong path

oh co pilot and chat gpt failed me lol

but now i think i understand the grants so dst "*" opens it up to all groups users

and then the second section

specifies what it was for

if you visit https://tailscale.com/kb theres an Ask AI button in the bottom right corner which is one we tuned specifically to give advice on using tailscale and is miles better than chatgpt or copilot
though if you ask me theres little replacement for humans when things get complicated, which is why this discord server exists

yeah we far out before software engineers get replaced

there will always be a bug or something

technology just hates me my computer buddy that knows his stuff questions why i have the most random weird broken ass problems

he just gives up trying to help me now lol

i was beginning to question that at the start but then i took it as a challenge

he also hates windows now too so his thing is windows 11 rip go to linux

regardless if its building pc setting up os anything

if the most random thing that google has no awnsers for

it happens to me

and every time im alone struggling till i get it

very seldom i get help cause i dont know anyone really

i get told google is your friend lol

like i made a dual boot kali linux and EVERY single time i messed it up or got lost id restart from scratch

till i got it

google is your friend until its not

and every SINGLE TIME it was different

followed every step command ect

and somewhere within it it would act different

even the os install page would do different things

lol

i gave up with kali when i couldnt use my mic ... cause linux doesnt support dual mic plexing or whatever for my old soundcard

i spent about 2 weeks trying to get the mic to work ! lol

than i figured kali is hardcore rolling and why it was different every time

and i got tired of re setting it up

i do want a dualboot linux of somesort

less bloat faster os looks nice n clean

plus has all the tools to learn from

i plan to go to school for something in IT but i question that decision with how random and bad my luck is

which one works best depends on your specific hardware, but theres no guide that says if you have this then install that, so it mostly becomes a game of trying them until something works

and only people i know are people in there 50s plus who couldnt find the X to close an internetbrowser

and i get reallly impatient trying to help

id hate to do it daily

thanks

😆

no if you seen some of the questions and help .... from family / family friends

oof

over the phone at that

one was hotmail.com there inbox > was closed

i spent 2 hours trying to explain where the >

was to open it

until i figured it was easier to get them to download anydesk

and do it for them

was just joking because i help people use tailscale for a living lol

that sounds annoying

see i do enjoy helping people

but there is a limit to patients lol

its different when you can remote or have the device infront of you

or atleast a person who can do basic navigation

even sharing screenshots is miles better than a phone call

yes

but moms bf sadly doesnt even know how to send an email or take a photo and send a photo over text or facebook

hhaha

wild

everything for the most part of what i know i trialed and errored like a mofo and relied on google

lol

i mean, doing that for 10+ years is how i got where i am
its real annoying but it works

well ive been doing it since i was 8

i wanted to learn cyber security because back when i was 8 people used to hack my accounts

and steal my LOOT

how i met my computer guy

cause he was a scammer on d2:P

and then blizzard turned into like cyber warefare for clan battles

taking over websites stealing accounts stealing cdkeys proxy flooding channels

ect ect

so started with google whats a proxy

google was xxs

ect ect

LOL

and whats funny is if you google any of that that was happening on blizzard across sc d2 and wc3

it didnt exist

the only thing that exists now is stealthbot on github

in 2015 they scrubbed the internet

none of that shit ever happened apparently

i learnt about prorat when i was like 10 lol

god internet was excessivly free in the 90s early 200s

2000s**

then after wrapping my head around basic concepts i got to a point where without guidance sandboxs or community i physically couldnt learn anything

so i just gamed and things just worked

so i never dived much into things

hmm phone now says server is offline... ?

but it works from pc?

yes

does it work from the phones browser

no i think i know what it is

when we set the static my connection reset

so even though tailscale is connected

it shows machine as offline

try toggling tailscale connection off and on again

and restarting plex

tailscale is taking along time to start

goona restart the pc

maybe cause we changed the ip to static...

i know it works 😛 just gotta get connected