diff --git a/docs/about/faq.md b/docs/about/faq.md index b06055fa..f9b43373 100644 --- a/docs/about/faq.md +++ b/docs/about/faq.md @@ -121,3 +121,17 @@ help to the community. ## Can I use headscale and tailscale on the same machine? Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported. + + +## Why do two nodes see each other in their status, even if an ACL allows traffic only in one direction? + +A frequent use case is to allow traffic only from one node to another, but not the other way around. For example, the +workstation of an administrator should be able to connect to all nodes but the nodes themselves shouldn't be able to +connect back to the administrator's node. Why do all nodes see the administrator's workstation in the output of +`tailscale status`? + +This is essentially how Tailscale works. If traffic is allowed to flow in one direction, then both nodes see each other +in their output of `tailscale status`. Traffic is still filtered according to the ACL, with the exception of `tailscale +ping` which is always allowed in either direction. + +See also .