# Packets go in but can't go out I had the following setup: ``` My machine --------> Pi tailscale0: 100.74.203.69 tailscale0: 100.121.173.5 eth0: 172.31.0.105 ``` And when running `netcat` on the Pi, I could not have a TCP connection from my machine: ```shell # From my machine: ssh pi@172.31.0.105 sudo apt install netcat -y ssh pi@172.31.0.105 nc -l 0.0.0.0 8080 # From my machine, on another shell session: curl -v 100.121.173.5:8080 # ❌ curl -v 172.31.0.105:8080 # ✅ ``` So I used tcpdump to see which part of the TCP connection fails, and whether it is an iptables problem or `ip route` problem: ```shell ssh pi@172.31.0.105 sudo tcpdump -i any -U -w - | wireshark -k -i - ``` Sure enough, it seems like packets are able to flow in, but not flow out:  There seems like traffic meant for 100.74.203.69 gets stuck. The Wireshark screenshot does not give any clue to which interface packets are sent to. I used tcpdump directly instead of displaying the traffic with Wireshark: ```console $ ssh pi@172.31.0.105 sudo tcpdump -i any 'port 8080' tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 13:00:15.033067 tailscale0 In IP 100.74.203.69.46736 > 100.121.173.5.http-alt: Flags [S], seq 3228564145, win 64480, options [mss 1240,sackOK,TS val 4225309330 ecr 0,nop,wscale 7], length 0 13:00:15.033265 eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184388771 ecr 4225309330,nop,wscale 7], length 0 13:00:16.032449 tailscale0 In IP 100.74.203.69.46736 > 100.121.173.5.http-alt: Flags [S], seq 3228564145, win 64480, options [mss 1240,sackOK,TS val 4225310340 ecr 0,nop,wscale 7], length 0 13:00:16.032543 eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184389770 ecr 4225309330,nop,wscale 7], length 0 13:00:17.062280 eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184390800 ecr 4225309330,nop,wscale 7], length 0 13:00:18.048294 tailscale0 In IP 100.74.203.69.46736 > 100.121.173.5.http-alt: Flags [S], seq 3228564145, win 64480, options [mss 1240,sackOK,TS val 4225312356 ecr 0,nop,wscale 7], length 0 13:00:18.048434 eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184391786 ecr 4225309330,nop,wscale 7], length 0 13:00:20.074308 eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184393812 ecr 4225309330,nop,wscale 7], length 0 ``` This time, we learn that the Pi tries to send the packets meant for 100.121.173.5 to eth0: ``` eth0 Out IP 100.121.173.5.http-alt > 100.74.203.69.46736: Flags [S.], seq 291990522, ack 3228564146, win 65160, options [mss 1460,sackOK,TS val 2184391786 ecr 4225309330,nop,wscale 7], length 0 ``` Maybe the problem comes from one the routing tables: ```console $ ssh pi@172.31.0.105 ip route show table all default via 172.31.7.254 dev eth0 proto dhcp src 172.31.0.105 metric 202 default via 172.31.7.254 dev wlan0 proto dhcp src 172.31.0.21 metric 303 169.254.0.0/16 dev vethbef6ee7 scope link src 169.254.198.30 metric 209 169.254.0.0/16 dev vethd75b55b scope link src 169.254.77.164 metric 211 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-35de615f5076 proto kernel scope link src 172.18.0.1 linkdown 172.19.0.0/16 dev br-4c926d52d247 proto kernel scope link src 172.19.0.1 172.31.0.0/21 dev eth0 proto dhcp scope link src 172.31.0.105 metric 202 172.31.0.0/21 dev wlan0 proto dhcp scope link src 172.31.0.21 metric 303 local 100.121.173.5 dev tailscale0 table local proto kernel scope host src 100.121.173.5 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 local 169.254.77.164 dev vethd75b55b table local proto kernel scope host src 169.254.77.164 local 169.254.198.30 dev vethbef6ee7 table local proto kernel scope host src 169.254.198.30 broadcast 169.254.255.255 dev vethbef6ee7 table local proto kernel scope link src 169.254.198.30 broadcast 169.254.255.255 dev vethd75b55b table local proto kernel scope link src 169.254.77.164 local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown local 172.18.0.1 dev br-35de615f5076 table local proto kernel scope host src 172.18.0.1 broadcast 172.18.255.255 dev br-35de615f5076 table local proto kernel scope link src 172.18.0.1 linkdown local 172.19.0.1 dev br-4c926d52d247 table local proto kernel scope host src 172.19.0.1 broadcast 172.19.255.255 dev br-4c926d52d247 table local proto kernel scope link src 172.19.0.1 local 172.31.0.21 dev wlan0 table local proto kernel scope host src 172.31.0.21 local 172.31.0.105 dev eth0 table local proto kernel scope host src 172.31.0.105 broadcast 172.31.7.255 dev eth0 table local proto kernel scope link src 172.31.0.105 broadcast 172.31.7.255 dev wlan0 table local proto kernel scope link src 172.31.0.21 fd7a:115c:a1e0::/48 dev tailscale0 table 52 metric 1024 pref medium ::1 dev lo proto kernel metric 256 pref medium fc00:f853:ccd:e793::/64 dev br-35de615f5076 proto kernel metric 256 linkdown pref medium fd7a:115c:a1e0:ab12:4843:cd96:6279:ad05 dev tailscale0 proto kernel metric 256 pref medium fe80::/64 dev tailscale0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev wlan0 proto kernel metric 256 pref medium fe80::/64 dev br-35de615f5076 proto kernel metric 256 linkdown pref medium fe80::/64 dev br-4c926d52d247 proto kernel metric 256 pref medium fe80::/64 dev vethd75b55b proto kernel metric 256 pref medium fe80::/64 dev vethbef6ee7 proto kernel metric 256 pref medium local ::1 dev lo table local proto kernel metric 0 pref medium local fd7a:115c:a1e0:ab12:4843:cd96:6279:ad05 dev tailscale0 table local proto kernel metric 0 pref medium anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium anycast fe80:: dev tailscale0 table local proto kernel metric 0 pref medium anycast fe80:: dev br-4c926d52d247 table local proto kernel metric 0 pref medium anycast fe80:: dev vethbef6ee7 table local proto kernel metric 0 pref medium anycast fe80:: dev vethd75b55b table local proto kernel metric 0 pref medium local fe80::42:bcff:febf:b527 dev br-4c926d52d247 table local proto kernel metric 0 pref medium local fe80::6a2:a30b:ba2f:7820 dev eth0 table local proto kernel metric 0 pref medium local fe80::379b:bf1e:df72:d746 dev tailscale0 table local proto kernel metric 0 pref medium local fe80::58b1:37ff:fef2:a392 dev vethd75b55b table local proto kernel metric 0 pref medium local fe80::68d7:d9cb:97c0:6738 dev wlan0 table local proto kernel metric 0 pref medium local fe80::c6bf:22c2:83a6:7227 dev vethd75b55b table local proto kernel metric 0 pref medium local fe80::cb7e:ec65:516c:2e2a dev vethbef6ee7 table local proto kernel metric 0 pref medium local fe80::e830:c7ff:fe9b:df08 dev vethbef6ee7 table local proto kernel metric 0 pref medium multicast ff00::/8 dev tailscale0 table local proto kernel metric 256 pref medium multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium multicast ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium multicast ff00::/8 dev br-4c926d52d247 table local proto kernel metric 256 pref medium multicast ff00::/8 dev vethd75b55b table local proto kernel metric 256 pref medium multicast ff00::/8 dev vethbef6ee7 table local proto kernel metric 256 pref medium ``` We can see in this table that there is no gateway route for `100.*`, meaning that the tailscale packets end up being sent to eth0 instead of tailscale0. Looking at Tailscale's [troubleshooting guide](https://tailscale.com/kb/1023/troubleshooting/), they seem to be using the table 52, which wasn't showing up to now. I decided to re-start tailscale: ```shell ssh pi@172.31.0.105 sudo tailscale down ssh pi@172.31.0.105 sudo tailscale up ``` And the table 52 showed up: ```console $ ssh pi@172.31.0.105 ip route show table 52 100.70.50.97 dev tailscale0 100.74.203.69 dev tailscale0 100.100.100.100 dev tailscale0 100.107.209.94 dev tailscale0 ``` And this time, `curl 172.31.0.105:8080` started working!