Tailscale Subnet Routing

Last Updated: 2025-12-26
Status: Production
Source: Network audit and device inventory

Overview

Subnet routing allows Tailscale devices to access local network subnets through the Tailscale mesh network. This enables secure access to local services without exposing them to the public internet.

Approved Routes

Subnet	Advertised By	Device IP	Status	Purpose
`192.168.8.0/24`	gl-be3600	100.116.110.123	Approved	Bluefly-Agents network
`192.168.138.0/23`	thomass-macbook-pro	100.108.129.7	Approved	Mac M4 local network
`192.0.2.0/24`	thomass-macbook-pro-2	100.108.180.36	Approved	TEST-NET (should be removed)
`198.51.100.0/24`	thomass-macbook-pro-2	100.108.180.36	Approved	TEST-NET (should be removed)

Unapproved Routes

Subnet	Advertised By	Device IP	Status	Action Required
`192.168.138.0/23`	thomass-macbook-pro-2	100.108.180.36	Unapproved	Approve in Tailscale admin or remove advertisement

Current Issues

Issue 1: Unapproved Subnet Route

Device: thomass-macbook-pro-2 (100.108.180.36)
Route: 192.168.138.0/23
Impact: Route is advertised but not approved in Tailscale admin
Action Required:
- Option A: Approve route in Tailscale admin console
- Option B: Remove route advertisement from Mac M3

Issue 2: Test-NET Routes in Production

Device: thomass-macbook-pro-2 (100.108.180.36)
Routes: 192.0.2.0/24, 198.51.100.0/24
Impact: These are TEST-NET addresses (RFC 5737) and should not be used in production
Action Required: Remove if not needed

Router Subnet Routing Configuration

GL-BE3600 Router

Subnet: 192.168.8.0/24 (Bluefly-Agents network)
Status: Approved and active
Purpose: Provides access to agent infrastructure network
Configuration:
- Router advertises subnet to Tailscale network
- Subnet routing enabled on router
- Accessible via Tailscale mesh

How Subnet Routing Works

Device on Tailscale Network
  
Tailscale Mesh (WireGuard)
  
Subnet Router (gl-be3600)
  
Local Network (192.168.8.0/24)
  
Local Services

Key Properties:

No public exposure
Encrypted via WireGuard
Identity-based access control
Works from anywhere on Tailscale network

Best Practices

Minimize Routes: Only advertise necessary subnets
Approve Routes: All routes must be approved in Tailscale admin
Remove Test Routes: Never use TEST-NET addresses in production
Tag Devices: Use tags for access control
Monitor Routes: Regularly audit advertised routes

Tailscale Configuration - Configuration details
Tailscale Devices - Device inventory
Tailscale ACL Policy - Access control
Network Overview - Complete network architecture
Network Inventory - Complete inventory

Tailscale Subnet Routing

Tailscale Subnet Routing

Overview

Approved Routes

Unapproved Routes

Current Issues

Issue 1: Unapproved Subnet Route

Issue 2: Test-NET Routes in Production

Router Subnet Routing Configuration

GL-BE3600 Router

How Subnet Routing Works

Best Practices

Related Documentation