Technologies/Tailscale/tailscale.subnet_router.routes.advertised
TailscaleTailscaleMetric

tailscale.subnet_router.routes.advertised

Advertised subnet routes
Dimensions:None
Available on:DatadogDatadog (1)

Summary

Number of subnet routes this device is advertising as available to route for the tailnet. These are routes the device claims it can forward traffic for, pending approval. High counts indicate a device configured as a subnet router. Mismatch with approved routes shows pending authorization work. Essential for tracking subnet routing configuration and ensuring advertised routes receive proper approval.

Interface Metrics (1)
DatadogDatadog
Number of advertised subnet routes
Dimensions:None
Sources
tailscale.subnet_router.advertised_routesdocs.datadoghq.com

Technical Annotations (38)

Configuration Parameters (4)
--snat-subnet-routesrecommended: false
Prevents NAT on subnet routes to preserve original source IPs for firewall rules
net.ipv4.ip_forwardrecommended: 1
must be enabled on subnet router for forwarding
tailscale.web.portrecommended: 5252
required ACL port for remote metrics collection over tailnet
allow_incoming_connectionsrecommended: disabled (workaround only)
Disabling prevents CPU spike but limits Tailscale functionality
Error Signatures (1)
subnetIPForwardingNotEnablederror code
CLI Commands (14)
tailscale up --accept-routes --exit-node=my-vps-exit-noderemediation
tailscale statusdiagnostic
ip routediagnostic
tailscale pingdiagnostic
tailscale up --advertise-routes=10.0.0.0/16,10.0.0.0/24remediation
tailscale status --routesdiagnostic
tailscale metrics printdiagnostic
tailscale up --advertise-routes=192.168.1.0/24 --snat-subnet-routes=falseremediation
ip route showdiagnostic
tailscale status --json | jq '.Self.PrimaryRoutes, .Self.AdvertisedRoutes'diagnostic
sysctl -w net.ipv4.ip_forward=1remediation
tailscale metrics writemonitoring
curl 100.100.100.100/metricsdiagnostic
tailscale webmonitoring
Technical References (19)
0.0.0.0/0conceptsubnet routescomponentexit nodecomponentsubnet routercomponentlongest prefix matchingconceptblack holeconceptvia fieldcomponentsubnet routerscomponentIP forwardingconceptDERP relaycomponentSNATconceptsubnet routeconcepttailscale0component100.100.100.100componenttextfile collectorcomponentDNS server overridecomponentTailnet Lockcomponenttailscaled.execomponentHyper-Vcomponent
Related Insights (14)
Exit node default route overrides subnet routes causing connection failurescritical
Overlapping subnet route failover black holes trafficcritical
Local area network access failure through subnet routerwarning
Via field subnet router misconfiguration blocks traffic routingcritical
Subnet router IP forwarding not enabled blocks subnet accesscritical
Tailscale client metrics available for Prometheus scrapinginfo
SNAT on subnet routes breaks firewall return trafficwarning
Subnet route overlaps with existing routes causing unexpected routing behaviorwarning
Subnet router lacks IP forwarding or firewall rules preventing traffic flowcritical
Subnet router health monitoring requires metrics collection setupinfo
Subnet routes advertised but not approved blocks expected traffic routingwarning
Malicious admin on shared domain can intercept traffic via subnet router or DNScritical
Tailscale daemon CPU usage spikes to 25-60% with high network utilization on Windows Serverwarning
Subnet router routes pending approval blocking connectivitywarning

When a subnet router advertises routes that remain unapproved, devices attempting to reach those subnets will fail to establish connectivity. This represents a configuration gap between advertised network capabilities and operational reality, often caused by approval workflow delays or miscommunication.