1.8 KiB
The ACG internal subnet 172.16.3.x is reached over Tailscale, not a local LAN — pfsense-2
(the pfSense node) is the subnet router advertising 172.16.0.0/22. Key hosts on it:
Gitea/Jupiter 172.16.3.20:3000, GuruRMM + coord 172.16.3.30:3001/:8001.
Symptom → cause: if sync.sh fetch fails and the WHOLE 172.16.3.x subnet is unreachable
(both .20 and .30) while general internet is fine, the cause is almost always a Tailscale
node KEY EXPIRY on an infra node (the subnet router or a server) — an expired key drops that node
off the tailnet, killing the route. It is NOT a "transient blip" and NOT a real LAN outage (logged
as a correction 2026-06-25 after I mis-called it). Mike disabled key expiration on the infra
node(s) 2026-06-25 so it shouldn't recur; if it does, re-auth the node + confirm expiry is off in the
Tailscale admin console.
Diagnose (Windows tailscale.exe at C:\Program Files\Tailscale\):
tailscale status— look for peers markedoffline/key-expired, esp.pfsense-2andgururmm-server.tailscale debug prefs | grep RouteAll— must betrue(this machine accepts subnet routes).tailscale status --json— confirm a peer advertises172.16.0.0/22(PrimaryRoutes) and isOnline.tailscale ping <tailnet-100.x>— tests tailnet path independent of the subnet route.
Fallback: gururmm-server is directly reachable at its tailnet IP 100.86.12.15:3001 — usable
in place of 172.16.3.30:3001 if the subnet route is down but the node itself is up. See feedback_tmp_path_windows.