Parked sketch — Mac Mini as Tailscale subnet router for home-LAN tailnet coverage (2026-06-06)
DARE.CO.UK · PARKED SKETCH · 2026-06-06
Mirrored from ~/.claude/.../memory/parked_sketch_tailnet_home_subnet_router_mac_mini_2026-06-06.md. This is a design sketch parked for future build — read for context, not as a current deliverable.
Dan, 2026-06-06 morning, on Verizon Fios + tailnet gaps — close the home-network gap by running Tailscale as a subnet router on the upcoming Mac Mini home-lab box. Verizon Fios routers can’t run Tailscale natively (proprietary firmware). Subnet router via always-on Mac Mini gives full home-LAN reachability from any tailnet node without replacing the Fios router. Ready-to-fire commands below; unblocks when the Mac Mini physically arrives.
The vision
Every device on the home LAN reachable from any tailnet node
(iPad in Florida, MacBook anywhere, gf-cx-singapore for ops
scripts) by its real LAN IP, no per-device Tailscale install.
Closes the home-network gap discovered while planning the Florida
road-trip remote-ops window (project_florida_trip_remote_ops_window_2026-06-03.md).
Why not Tailscale-on-the-router
Verizon Fios routers (G3100, G1100, CR1000A, E3200, etc.) run proprietary Verizon firmware. No SSH, no package manager, no way to install third-party binaries. Replacing the Fios router with a Tailscale-capable one (GL.iNet OpenWrt, Unifi Dream Machine, pfSense) is doable but requires bridging the Fios ONT and adds hardware spend. Subnet router on a single always-on device gives the same outcome with zero hardware change.
Why Mac Mini specifically
- It’s the planned home-lab Immich + RAID box — always-on by definition.
- One extra responsibility on a box that’s already going to exist.
- Zero new SPOF: if the Mini is down, the home LAN is still up; only remote tailnet access is lost (same as today’s state).
- iCloud Find My + remote-wake make recovery easy if it crashes while Dan’s remote.
Pre-flight
Confirm the home subnet shape before firing. From the 2026-06-05 Mac→SharePoint traceroute we already have:
1 192.168.50.1 ← Dan's primary LAN gateway
2 192.168.1.1 ← Verizon Fios upstream
3 lo0-100.phlapa-vfttp-312.verizon-gni.net ← Verizon Philadelphia POP
So:
| Subnet | Role | Devices that live here |
|---|---|---|
192.168.50.0/24 |
Primary LAN | MacBook, Mac Mini (when arrived), printer, IoT, Immich, NAS |
192.168.1.0/24 |
Fios’s WAN-side LAN | Fios router admin, anything plugged into Fios directly |
Advertise BOTH subnets if Dan wants access to Fios-side devices
too; otherwise just 192.168.50.0/24 covers the home LAN.
The commands
0. Use the standalone Tailscale, not the App Store version
The App Store version blocks tailscale ssh and is harder to run
as a headless daemon. For a server-style subnet router, install
the standalone variant from pkgs.tailscale.com or Homebrew:
�STASH7�
(If the Mini already has the App Store version, uninstall it first: drag from /Applications + remove its data. Don’t dual-run.)
1. Enable IP forwarding (persistent)
macOS doesn’t forward IP packets by default. Subnet routing requires it. Make it persistent across reboots:
�STASH8�
2. Bring up Tailscale with subnet advertising
�STASH9�
Flags:
- --advertise-routes: the subnets this node will route for
- --accept-routes: this node can also USE other subnet routers
(e.g., a future GCP subnet)
- --hostname=mac-mini-home-lab: canonical name across tailnet
- --ssh: enables tailscale ssh mac-mini-home-lab from other
tailnet nodes (uses tailnet identity instead of password/keys)
3. Admin-console approval (one-time)
- Open https://login.tailscale.com/admin/machines
- Find
mac-mini-home-labrow → Edit route settings - Toggle ON:
192.168.50.0/24and192.168.1.0/24 - Same row → menu (…) → Disable key expiry (so the route doesn’t go offline every 6 months when the node key TTLs)
4. Verify from another tailnet node
# From MacBook in Florida:
ping 192.168.50.10 # a known home-LAN device
tailscale ping 192.168.50.10 # confirms the subnet-router path
# Find any home device by name (if mDNS works):
ping mac-mini-home-lab.local
If pings fail, common causes:
- IP forwarding not actually enabled (sysctl net.inet.ip.forwarding)
- Route not approved in admin console
- Home device firewall blocking ICMP from non-LAN sources
(allow tailnet IPs, typically 100.64.0.0/10)
5. Optional — set up split DNS for *.home or similar
If you want mac-mini-home-lab.home, immich.home, nas.home
to resolve via the tailnet, configure split DNS in the admin
console (DNS → Add nameserver → restrict to your domain).
Defer until after subnet routing proves itself.
Operational notes
- Key expiry default = 6 months. Disabling it for the subnet router is the right call (route should NEVER drop because someone forgot to reauth). For end-user devices (MacBook, iPhone), leave key expiry on for security hygiene.
- Tailscale on Mac Mini consumes ~30-50 MB RAM idle, ~1-2% CPU. Doesn’t compete with Immich workloads.
- Tailscale auto-starts on boot when installed standalone. No additional launchd config required for the daemon itself (only the IP-forwarding plist from step 1).
- Funnel + Subnet router are independent — subnet router shares the LAN inward; Funnel would expose a port outward. Don’t enable Funnel unless intentional.
When to fire
Unblocks when: the Mac Mini physically arrives and is plugged into the home LAN with a stable IP (DHCP reservation or static).
Order of operations: 1. Mac Mini arrives, set up macOS, give it a reserved IP via Fios admin (or 192.168.50.x via downstream router admin) 2. Install Immich + configure RAID 3. THEN run the Tailscale subnet-router steps above 4. Test from iPad in Florida or any remote tailnet node
Setting up Tailscale BEFORE Immich is fine too — they’re orthogonal. Subnet router gives you SSH-from-anywhere into the Mini, which makes the Immich provisioning easier.
What this closes
project_florida_trip_remote_ops_window_2026-06-03.md— remote ops during travel; subnet router means you can SSH to ANY home device, not just pre-enrolled tailnet nodes.- The “tailnet only covers explicitly enrolled devices” limitation. Subnet router makes the whole home LAN tailnet- reachable transparently.
Cross-references
project_florida_trip_remote_ops_window_2026-06-03.md— the upcoming road-trip use case this directly serves.project_parallel_ingest_identities_hypothesis_2026-06-05.md— established that home-LAN-resident workloads (Immich on Mac Mini RAID) use Mac → OneDrive direct, not via SG VM. Subnet router means the orchestration of those direct uploads is remotely controllable.feedback_canonical_names_gfcx_singapore_xlab_studio_2026-06-05.md— naming convention; this node will bemac-mini-home-labon the tailnet, sometimes referenced as the “home-lab Mini”.- Future: a sibling memory for “Immich on home Mac Mini RAID provisioning checklist” once that work begins.
Status
Parked sketch. Commands above are ready to copy-paste; nothing to ship today. Fires when the Mini physically arrives. Sits at ~30 minutes of work end-to-end (most of it propagating through admin-console approvals and one IP-forwarding plist).