Tailscale subnet on RPi with two networks

Question

I have two separate networks (that I would like to keep separate) connected via hardwire to a Raspberry Pi 4 running Raspbian.

Network A (on eth0) is a managed, enterprise network at my university with an IT team that is often extremely slow to respond. Network A is providing the internet connection to the RPi.

Network B (on eth1) is a totally separate network connected to our managed switch. It consists of various sensors and controllers for our research lab. Since there is no router (nor DHCP server) this is all in the 169.254.0.0/16 subnet.

Ideally, I'd like to "bridge" this network with my Tailnet so that I can just log in to Tailscale on one of the lab computers on Wi-Fi (technically on Network A) and access all the devices on Network B's 169.254.0.0/16 subnet.

The end goal of this is to have a network that's isolated from Network A while still allowing easy access to Network B. Do we just need a router to properly route some 802.1q VLANs?

I've tried so many different guides from Tailscale and others online and cannot for the life of me figure this out. I think one of the problems is that Tailscale and the sensors are on different network interfaces. I've tried to make a bridge interface (via nmtui) but I don't totally understand how to do it without just connecting the two networks. I've tried to set up some ip routes on the RPi but don't totally understand how to do it.

Answer 1

I've tried to make a bridge interface

You don't want a bridge interface; and more importantly, Tailscale is a L3 VPN (i.e. it transports IP packets, not Ethernet interfaces), so it can't be bridged to anything else anyway – it can only be routed, at IP level.

Since there is no router (nor DHCP server) this is all in the 169.254.0.0/16 subnet.

The 169.254.0.0/16 "link-local" address range is meant to be non-routable. Though Linux can route it (treating it like any other unicast address), other operating systems might have special treatment.

Since you now do have a router connected to Network B – the RPi is going to be your router – I would strongly recommend setting up a DHCP server so that the network could use a more regular address range. (Start with dnsmasq but make very sure it has interfaces = eth1 so that it won't advertise DHCP service to Network A by accident.)

I've tried to set up some ip routes on the RPi but don't totally understand how to do it.

The RPi doesn't need any additional routes for itself. It already is directly connected to both networks, so it automatically has "local" routes for both the Tailnet and Network B.

Instead, those networks need routes to each other 'via' the RPi.

• On the Tailscale side, you'll need to make the RPi advertise itself as a subnet router for Network B's address range; Tailscale will deploy that route to all your other VPN devices using its own mechanisms.

• On the Network B side, your devices likewise need a route through the RPi; either for the tailnet IP range specifically, or a default route for everything. The network's DHCP server is usually what deploys such routes to devices. It might be simplest (and guaranteed to work) to have the DHCP server announce that the RPi is the "default gateway" and then use the RPi's firewall to prevent Network B from accessing Network A.

(DHCP can also deploy more-specific routes via option 121, but devices are not guaranteed to recognize that.)