Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pinging devices using subnet routing on Apple TV does not work #10393

Closed
stevetrease opened this issue Nov 27, 2023 · 11 comments · Fixed by #12048
Closed

Pinging devices using subnet routing on Apple TV does not work #10393

stevetrease opened this issue Nov 27, 2023 · 11 comments · Fixed by #12048
Assignees
@agottardo
Labels
bug Bug needs-triage OS-tvOS Issues concerning Apple's tvOS

Comments

@stevetrease
Copy link

stevetrease commented Nov 27, 2023
edited

What is the issue?

I cannot get the new tvOS Test Flight subnet router option to work.

Having configured a subnet router in the tvOS app, I try to ping a device on the subnet from a device connected to the tailnet (which does not have access to the subnet or device). I get no ping response. Using a Synology as a subnet router works.

Subnet is 192.168.1.0/24.
Target device is 192.168.1.1.

nas2 - Synology running DSM 7.2-64570 Update 3 and Tailscale 1.54.0. Has IPv4 address on subnet.
bedroom - AppleTV running tvOS 17.2 and Tailscale 1.55.67. Has IPv4 address on subnet,
droplet-2 - a Digital Ocean Ubuntu VM running Tailscale 1.54.0. Does not have access to subnet.

Steps to reproduce

Disable subnet routing of the subnet on the AppleTV. Enable it on the Synology (both using 'edit route settings' on the Tailscale admin portal for the tailnet).
Logon onto the Digital Ocean VM and ping 192.168.1.1. Get response.
Disable subnet routing on the Synology, Enable it on the AppleTV.
PIng 192.168.1.1 from the DO VM. Get no response.
BUG-0f48b278de4c4bdb69455a9c9c2e105bade5d3c6f2ca422c07c5e228a5d94ea9-20231127203608Z-3c980f9b9bb9a865

Are there any recent changes that introduced the issue?

No.

OS

Linux, Synology, Other

OS version

DSM 7.2-64570 Update 3, tvOS 17.2. Detailed further above.

Tailscale version

1.54.0 and 1.55.67

Other software

Let me know if you need more information to help troubleshoot. Hopefully I am just doing something silly. :-)

I have no Tailscale ACL config to allow the subnet routing, but since it works on the Synology, I don't think I do.

Synology, AppleTV and Digital Ocean VM are all set with the same page (tag: service).

Bug report

BUG-0f48b278de4c4bdb69455a9c9c2e105bade5d3c6f2ca422c07c5e228a5d94ea9-20231127203608Z-3c980f9b9bb9a865
@agottardo
Copy link
Contributor

Does this affect all traffic, or only pings? Are you able to talk to route traffic to devices other than 192.168.1.1?

@agottardo agottardo added the OS-tvOS Issues concerning Apple's tvOS label Nov 27, 2023
@stevetrease
Copy link
Author

stevetrease commented Nov 27, 2023
edited

Interesting. Ping doesn't work via the AppleTV to two different devices on the LAN but does with routes enabled on only the Synology.

I've just tried curl and can get a webpage via both the Synology and the AppleTV from the 192.168.1.1 device.
I can also SSH into another device on the LAN via both Synology and AppleTV.

So it seems to be ping (ICMP?) not being passed via the AppleTV when it is passed via the Synology.

@agottardo
Copy link
Contributor

Okay, this matches what I am seeing. Relaying pings appears to be broken on tvOS due to a sandboxing issue. I'll report back once I have more details to share.

@agottardo agottardo changed the title Subnet routing on AppleTV Test Flight app does not work Pinging devices using subnet routing on Apple TV does not work Nov 27, 2023
@mattcredland

This comment was marked as off-topic.

Sign in to view
@tysecure
Copy link

I can confirm this. You can connect to the device but you can't ping it. I hope this gets addressed.

@jimmybrancaccio jimmybrancaccio mentioned this issue Feb 27, 2024
Open
@pti-cjones
Copy link

@agottardo just wondering if there is any insight as to why both TCP/UDP work but not ICMP with the sanboxing? I'm stoked to have a subnet router on a small and powerful device like the Apple TV, but not having ICMP breaks my monitoring.

With that said, thank you for the work you have put into making this happen on the Apple TV.

@agottardo
Copy link
Contributor

agottardo commented Feb 28, 2024
edited

@agottardo just wondering if there is any insight as to why both TCP/UDP work but not ICMP with the sanboxing? I'm stoked to have a subnet router on a small and powerful device like the Apple TV, but not having ICMP breaks my monitoring.

With that said, thank you for the work you have put into making this happen on the Apple TV.

Sure, check out the comment for the userPing function here:

tailscale/wgengine/netstack/netstack.go

Lines 834 to 846 in 3dd8ae2

// userPing tried to ping dstIP and if it succeeds, injects pingResPkt
// into the tundev.
//
// It's used in userspace/netstack mode when we don't have kernel
// support or raw socket access. As such, this does the dumbest thing
// that can work: runs the ping command. It's not super efficient, so
// it bounds the number of pings going on at once. The idea is that
// people only use ping occasionally to see if their internet's working
// so this doesn't need to be great.
//
// TODO(bradfitz): when we're running on Windows as the system user, use
// raw socket APIs instead of ping child processes.
func (ns *Impl) userPing(dstIP netip.Addr, pingResPkt []byte) {

To route pings, that code currently attempts to run the ping command in the CLI, but the sandbox on iOS/tvOS prevents that. We should be able to send ICMP traffic directly there, I just haven't had the time to build it out.

@agottardo agottardo self-assigned this Feb 28, 2024
@tysecure
Copy link

tysecure commented Mar 7, 2024

You CAN use the AppleTV as a subnet router but you can't PING any of the devices. This threw me off at first as well. If you enter the local IP for your device, you can connect to it successfully.

@openclosure
Copy link

openclosure commented Apr 24, 2024
edited

This threw me for a loop as well. An easy check for me was:

  • iPhone, MacBook, Apple TV all on tailnet. Apple TV configured to advertise subnet routes.
  • Disconnect iPhone from Wifi, attempt to ping (using fing) MacBook via tailnet IP (Success)
  • Attempt to ping MacBook via local network IP (Fail)
  • Run python3 -m http.server 8000 on MacBook, now navigate to http://<local_ip>:8000 on iPhone. Success!

Not really a big deal but spent 30 minutes in confusion on why ping wasn't working.

agottardo added a commit that referenced this issue May 7, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
05cd728 
Fixes #10393

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.
@agottardo agottardo mentioned this issue May 7, 2024
Merged
@agottardo agottardo linked a pull request May 7, 2024 that will close this issue
xcode: allow ICMP ping relay on macOS + iOS/tvOS platforms #12048
Merged
agottardo added a commit that referenced this issue May 7, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
e7920c8 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.
agottardo added a commit that referenced this issue May 7, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
38d5e00 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
adff786 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
c964cd4 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
8e7b4af 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
5fde665 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
34492db 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 9, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
a1a14b5 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 15, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
8209fde 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 15, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
1b4c2e4 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 15, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
1d1c062 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
dedfc51 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
b79b6db 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
7c47d0e 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
96e1cc7 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
1e94e6d 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
6c33aaf 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms
ef9a27f 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
agottardo added a commit that referenced this issue May 16, 2024
@agottardo
xcode: allow ICMP ping relay on macOS + iOS platforms (#12048)
e5f67f9 
Fixes #10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
@agottardo
Copy link
Contributor

This should land in the 1.68 update (and sooner on TestFlight).

@labrnth
Copy link

labrnth commented May 16, 2024

Amazing thank you

Mmx233 pushed a commit to MultiMx/tailscale that referenced this issue May 20, 2024
@agottardo @Mmx233
xcode: allow ICMP ping relay on macOS + iOS platforms (tailscale#12048)
e2ceef7 
Fixes tailscale#10393
Fixes tailscale/corp#15412
Fixes tailscale/corp#19808

On Apple platforms, exit nodes and subnet routers have been unable to relay pings from Tailscale devices to non-Tailscale devices due to sandbox restrictions imposed on our network extensions by Apple. The sandbox prevented the code in netstack.go from spawning the `ping` process which we were using.

Replace that exec call with logic to send an ICMP echo request directly, which appears to work in userspace, and not trigger a sandbox violation in the syslog.

Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agottardo agottardo

Labels
bug Bug needs-triage OS-tvOS Issues concerning Apple's tvOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

xcode: allow ICMP ping relay on macOS + iOS/tvOS platforms tailscale/tailscale
7 participants
@stevetrease @agottardo @labrnth @openclosure @mattcredland @pti-cjones @tysecure