Using Pi-hole to access a tailnet via a subnet router

i have a smart TV that i wish to connect to Tailscale. This television can not install the Tailscale application. I hope to use a subnet router to give my entire network access to my Tailscale network.

This is what I have done so far:

I have a device with an ip of 192.168.254.68. On this device I have installed Pi-hole and Tailscale. Tailscale has been set up as a subnet router That advertises all ip's on the range of 192.168.254.0/24, allowing devices in my tailnet to access this ip range.

Pi-hole has been set up as the dhcp server for my entire network. in misc.dnsmasq_lines ive set a static route directed at my subnet router:

dhcp-option=option:classless-static-route,0.0.0.0/0,192.168.254.254,100.64.0.0/10,192.168.254.68

192.168.254.254 being the ip of my network router, 100.64.0.0/10 being the range of addresses that tailscale uses, and 192.168.254.68 being the ip of the device that is running tailscale and, subsequently, the subnet router.

This set up is based off tailscale's site to site documentation. The hope is that queries to any ip in the range of 100.64.0.0/10 will be redirected to the subnet router, which will then be sent to were it needs to be in the tailscale network, allowing devices without tailscale installed to connect to my tailnet.

This
Did not work.

I'm at a loss here. Does anyone have any suggestions?

I'm in the process of doing at least something like what you sound like you want to do. I have mine working. If you are configuring subnet routers i'm imagining you must be wanting to route traffic for the TV to a different geographical location to avoid geoblocking? You do not need to be referencing the 100.64 addresses inside your tailnet with your static route, and don't need a static route for the TV. Just set the default gateway to the IP of your subnet router. Tailscale handles everything inside of the tailnet according to the tailscale node settings and access controls (but you probably haven't changed those and by default they allow all traffic from all sources to all destinations).

What are you using for your subnet router and what are you trying to do with the TV that means you need to give it access to your tailnet? Have you an exit node you wish to use for it and the rest of your lan, somewhere else?

If not, you need not only a subnet router for your TV and LAN (which you also need to configure to use the exit node), you also need another device at your remote location that is configured to be an exit node to pipe your TV and other traffic for you to where you want to receive it from.

If you are using linux, don't forget to enable the IP forwarding.

For your TV and LAN subnet router, do something like:

sudo tailscale set --reset (to start again)

then:

tailscale set advertise-routes=192.168.254.0/24 --exit-node=[Your exit node device Tailscale IP] --exit-node-allow-lan-access

Don't forget that last setting as you will lose access to the device from outside of your tailnet otherwise.

Your exit node tailscale set up should be something like:

tailscale set --accept-routes --advertise-exit-node

You then need to authorise all of these routes and exit nodes through the admin console

Then set the default gateway on your TV to be that of the regular (non tailscale) IP of your subnet router.

However, since you want to do video streaming, unless you have at least one real IP addresses at one end of the sites where your nodes are, then you will be sending all of your traffic through the shared Tailscale DERP servers. At certain times that may not be great. You would be better to also set up your own peer relay node on a (free Oracle) VPS somewhere, and if you are doing that, also put your Pi.Hole on the VPS server too. Alex did a very good video on that including how to incorporate your Pi.hole seamlessly into the Magic DNS.

If you keep an eye out, I will be posting about my set up in some detail soon. I use a pair of Openwrt routers running Tailscale on a pair of Raspberry Pi400's with a peer relay VPS in between (which also runs Pi.Hole). I am behind CGNAT at both of my locations that I wish to connect. It works very well after ironing out the settings.

Sorry for not being more clear, I have a jellyfin server connected to my tailnet that i seek to give the tv access to. I don't seek to pipe the connection over the tailnet to a exit node, I want to enable it to access a resource available on the tailnet itself

Yes, being clearer would help. What Tailscale settings are you using for your jellyfin and subnet router? What manual settings are you using for your TV jellyfin client? Are other local devices already working with your Jellyfin server? Auto discovery doesn't work for Jellyfin (or anything) across subnets. You need to manually configure it. Have you done that?

Jellyfin is running in a docker container that uses a separate tailscale container for its connection. The TV jellyfin client is attempting to connect to the ip of the tailscale container using port 8096 but cant see it. The only tailscale device that can be seen by local devices is the subnet router itself. For example, If i traceroute the tailscale ip of the subnet router it connects to the subnet router without issue, even on a device that doesn't have tailscale installed. How ever if i try to connect to a tailscale ip of a device that isn't my subnet router then it will successfully be redirected to the subnet router, but then not receive a response.

Are your Jellyfin and TV in geographically different places on different internet connections or are all of these devices in your home? It would help if you answered the question you were asked rather than something else that you think is relevant but isn't. Plus you have a Tailscale understanding issue not pi.hole. You should skip over to the Tailscale support groups and do more reading up on Tailscale and watch the YouTube videos. Good luck.

I am not sure what you are doing (I don't use TailScale) but it looks like you are risking having two DHCP Servers active on your network at the same time and that's just a horrible idea in general !!

The best thing to do is have a nice Router that supports VLANs and your Switches and Accesspoints too and put all devices that need to have their outgoing traffic going over a VPN in a seperate VLAN to make sure there are no conflicts with other devices on your network

Also the CG-NAT range 100.64.0.0/10 is something you (like the name suggests) want to use for NAT purposes and NOT give out via DHCP on your local network : Both mobile and regular ISPs use it when they start to have a IPv4 shortage for WAN IP Addressing

Good luck!

different internet connections different places

There's only one dhcp server active, and that is pi-hole

Fixed it! Didn't have --accept-routes enabled on any of the tailscale node devices that I wanted to connect to. That's why I couldn't connect to anything. Now most of the devices in my network can access my tailnet. The smart TV still can't access the tailnet but I have suspicions that that is a separate issue involving roku TV's ignoring dhcp option 121.

I've found pushing routes to clients via DHCP to be unreliable.

To start with, clients that do not request that option would never use it.
In addition, there are at least three different options for configuring client routes (33,121,249), each of which may or may not be requested by DHCP client software, and client implementation may even be lacking route support altogether.

If your goal is to route respective traffic from all clients to your tailscale gateway (rather than adding routes to only some specific clients), then adding a static route for 100.64.0.0/10 to 192.168.254.68
in your gateway/router would seem more reliable.

That was the original plan, but my router doesn't allow the setting of static routes sadly.