Why am I unable to use local IP with Tailscale subnet router?

Question

I installed Tailscale on three devices, my Android phone, my Synology NAS and my Windows Notebook.

I can access my NAS with nas.local or just nas (when I'm connected via Tailscale)

My goal is to be able to use the same hostname or local IP (192.168.20.1) for my Synology NAS whether I'm connected to Tailscale or not.

For that purpose I configured Synology as a DNS server so my NAS would resolve the local IP (192.168.20.1) to nas.home.lan. At first I tried to add a subnet router to my NAS, so I could use this DNS when connected to Tailscale, unfortunately this didn't work.

So, I took a step back, wanted to get the subnet routing to work first (leaving DNS out).

For that purpose I removed subnet routing from my NAS, and tried to use my Windows Notebook as a subnet router.

Here's what I tried; my Windows notebook's firewall is off:

1. Run tailscale up --advertise-routes 192.168.20.0/24 on my notebook, I also tried adding --reset.
2. confirmed the subnet in the Tailscale admin console.
3. I use the default ACLs which allow all traffic.
4. Disabled WiFi on my phone so I only use mobile data.
5. Connect Tailscale.
6. Tried to ping 192.168.20.1 from my phone with ping tools.
7. Tried to open 192.168.20.1:4444 in my phone's browser.

Step 6 and 7 were unsuccessful.

Executing step 6 and 7 with the NAS' Tailscale IP was successful.

I then tried to share my Wi-Fi in Tailscale network adapter:

This also didn't work.

In my notebook's Tailscale preferences all options besides run unattended are checked.

Am I misunderstanding something fundamental about Tailscale's subnet routing?

Or do you have an idea what might be wrong?

Answer 1

TL/DR for my problem

On your phone (android), open Tailscale and enable Tailscale subnets (Settings -> Subnet routes -> Use Tailscale subets).

Details

Here are the steps which were necessary to be able to use the same FQDNs whether I'm connected via Tailscale or not. Let's assume the NAS is called nas with the IP 192.168.20.1.

By default you can reach it via nas.local in your LAN and nas or nas.YOUR_TAILSCALE_DOMAIN when connected via Tailscale.
While this might be all you wanted, it's quite annoying when you don't to be connected to Tailscale all the time.

So here are all the steps necessary (for my setup which consists of a Synology with DSM 7 and a Zyxcel NBG6617 router which does DHCP, plus other client devices).

1. add the DNS package to Synology
2. create a primary zone with your desired domain (I used lan) Note that you should not use .local as your custom local domain, I also wouldn't use any other TLD which might exist globally.
3. for this zone create a an A record with the desired name (e.g. nas) which points to its own address 192.168.20.1
4. you might want to enableenable resolution service, so DNS queries your NAS can't resolve (e.g. everything outside the LAN), are forwarded to a DNS Server which can (e.g. 1.1.1.1, 8.8.8.8)
5. you can limit zone transfers, source ips etc. for this zone to your subnets (i.e. your lan and Tailscale's subnet, which is 100.64.0.0/10.
6. test the DNS locally by changing the DNS configuration so it points to 192.168.20.1 of a single client device and accessing nas.lan:YOUR_PORT via browser.
7. if needed/wanted change the DNS configuration of your DHCP server, so it provides 192.168.20.1.
   Be careful here, not all devices will work the same (looking at you PS5)
   So test all devices and execute this step, when nobody needs working DNS ;)
8. follow this steps to install Tailscale on your NAS.
9. in your Tailscale configuration on your NAS, add a subnet router with the desired subnet (e.g. 192.168.20.0/24 for the whole subnet, or, like I did 192.168.20.1/32 because I only need access to my NAS, altough with 32 192.168.20.2 will also be available.
   here are the detailed steps to enable a subnet router
10. On your phone, open Tailscale and enable Tailscale subnets (Settings -> Subnet routes -> Use Tailscale subets). This was the step which was the problem for this question!
11. access your NAS by your local IP and check if it works.
12. to be able to use nas.lan you need to configure Tailscale's DNS in the admin console.
    Add your DNS server 192.168.20.1 (under DNS -> Nameserver) and enable restrict to domain/split dns, enter lan

You should now be able to access your NAS by using nas.local.
Note that pinging your NAS might not work, this is a known issue.

From https://tailscale.com/kb/1131/synology#limitations--known-issues

Tailscale uses hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not necessarily pingable.