# Tailscale Funnel + LAN Connectivity Issue Summary

**Date:** July 2, 2026  
**Author:** Daniel + Hermes (Mac Mini)

---

## TL;DR

Tailscale Funnel URL (`https://daniel-ocs-mac-mini.tail03bebd.ts.net/...`) was unreachable from the MacBook. Root cause: a ghost Network Extension registration stuck in `[terminated waiting to uninstall on reboot]` state was blocking the MacBook's Tailscale tunnel even though `tailscale status` reported "active; direct." A MacBook reboot cleared the ghost. Funnel is now ready to test from Chrome.

---

## Environment

| Machine | Tailscale IP | LAN IP | Tailscale.app version | OS |
|---|---|---|---|---|
| Mac Mini (`daniel-ocs-mac-mini`) | `100.84.41.72` | `192.168.86.244` | 1.98.5 | macOS 26.3.1 |
| MacBook (`daniels-macbook-pro`) | `100.98.127.76` | `192.168.86.250` | 1.98.8 | macOS |

Both on same Tailnet (`lillyblossomai@`), same WiFi (`192.168.86.0/24`).

---

## Symptom (Original Problem)

A markdown guide file was created on the Mac Mini at `~/Desktop/ict_rbNhlJSXDaA_guide.md` (8896 bytes). Goal: make it accessible to the MacBook for note-taking during an ICT trading lecture. Tried three transport paths — all failed in sequence:

1. **Direct `scp` over Tailscale IP** (`100.98.127.76`) → `Operation timed out`
2. **`scp` over LAN IP** (`192.168.86.250`) → `Host key verification failed` then `Permission denied` (SSH key auth not set up between the two machines)
3. **Tailscale Funnel URL in MacBook browser** → "Can't load" / no response

While debugging, confirmed:
- Mac Mini's HTTP server (`python3 -m http.server 8765`) was serving the file correctly
- LAN IP `192.168.86.244:8765` returned `HTTP 200, 8896 bytes` from the Mini itself
- Public Funnel URL `https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md` returned `HTTP 200, 8896 bytes` from the Mini
- Mac Mini's `tailscale status` showed MacBook as `active; direct 192.168.86.250:41641`

So: **server side was healthy, client side couldn't reach it.**

---

## Diagnostic Sequence That Found The Bug

### Step 1: Confirmed Funnel was healthy on the Mini side
```bash
curl -sS -o /dev/null -w "HTTP %{http_code}\n" --max-time 5 \
  https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md
# → HTTP 200, 8896 bytes
```

### Step 2: Checked Tailscale state on the Mac Mini
```bash
tailscale status | grep macbook
# → 100.98.127.76  daniels-macbook-pro  lillyblossomai@  macOS  active; direct 192.168.86.250:41641
# Mini side looked fine
```

### Step 3: Tested MacBook reachability from Mac Mini
```bash
nc -z -v -G 3 100.98.127.76 22   # → Operation timed out (Tailscale IP)
nc -z -v -G 3 192.168.86.250 22  # → succeeded (LAN IP)
```
Pattern: **LAN works, Tailscale IP doesn't.** Consistent with Tailscale tunnel wedged on the MacBook side, not a LAN routing issue.

### Step 4: Restarted Tailscale on the MacBook (didn't fix it)
```bash
sudo tailscale down && sudo tailscale up
tailscale status
# → MacBook's IP appeared, Mac Mini showed "active; direct" — but Funnel still didn't load
```
**This was the red flag:** `tailscale status` says healthy but the tunnel doesn't actually work.

### Step 5: Inspected MacBook Network Extension state (THE SMOKING GUN)
```bash
systemextensionsctl list | grep -i tailscale
```
Output:
```
                W5364U7YZB      io.tailscale.ipn.macsys.network-extension (1.98.5/101.98.5)     Tailscale Network Extension     [terminated waiting to uninstall on reboot]
*       *       W5364U7YZB      io.tailscale.ipn.macsys.network-extension (1.98.8/101.98.8)     Tailscale Network Extension     [activated enabled]
```

**Two entries:**
- Ghost: old v1.98.5 in `[terminated waiting to uninstall on reboot]` — stuck registration from a previous Tailscale install, never cleared
- Live: current v1.98.8 in `[activated enabled]` — looks healthy

The ghost was preventing the kernel from fully activating the tunnel even though the new extension was registered.

### Step 6: Rebooted the MacBook
After reboot:
```bash
systemextensionsctl list | grep -i tailscale
# → ONE entry only:
# *       *       W5364U7YZB      io.tailscale.ipn.macsys.network-extension (1.98.8/101.98.8)     Tailscale Network Extension     [activated enabled]
```

**Ghost cleared, single clean entry, tunnel state now consistent.**

---

## What Did NOT Work

| Attempt | Why it failed |
|---|---|
| `scp` over Tailscale IP | Tunnel wedged (root cause) |
| `scp` over LAN IP | SSH host key + auth not configured between machines |
| Tailscale Funnel in MacBook browser | Same tunnel wedge — `tailscale status` lied |
| `sudo tailscale down && sudo tailscale up` | Cleared the user-space state but didn't touch the kernel-level ghost extension |
| `sudo systemextensionsctl uninstall W5364U7YZB` | Blocked by SIP (`At this time, this tool cannot be used if System Integrity Protection is enabled`) — not needed after reboot anyway |

---

## What Worked

**Reboot the MacBook.** That's it. One restart.

- Kernel cleared the `[terminated waiting to uninstall on reboot]` ghost entry on shutdown
- On boot, only the current v1.98.8 extension was registered
- `systemextensionsctl list` now shows one clean entry
- `tailscale status` and actual tunnel behavior now agree

---

## Verification Plan (Post-Fix)

1. **Chrome browser test** — Open `https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md` in Chrome on MacBook. Should render markdown in browser.
2. **`curl -v` test** — `curl -v https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md` shows the TLS handshake and HTTP response.
3. **LAN fallback** — If Funnel still fails: `curl -o ~/Desktop/ict_rbNhlJSXDaA_guide.md http://192.168.86.244:8765/ict_rbNhlJSXDaA_guide.md` (Mac Mini's HTTP server, still running, PID 32546).

---

## Lessons / Patterns to Remember

1. **`tailscale status` is unreliable for tunnel health.** It talks to the local daemon, not the kernel tunnel. A wedge between user-space daemon and kernel-level Network Extension produces "active; direct" in status while the actual tunnel fails. Always cross-check with `systemextensionsctl list | grep tailscale` on macOS.

2. **`[terminated waiting to uninstall on reboot]` is terminal.** Cannot be cleared manually, even with `sudo systemextensionsctl uninstall` (SIP blocks it). Only a reboot clears it.

3. **Ghost + live entries together = bug.** If `systemextensionsctl list` shows multiple Tailscale entries, one is almost certainly stuck. Clean state = exactly one entry.

4. **The bug pattern recurs:** This is the same class of issue from June 27, 2026 (MacBook↔Mac Mini device-to-device timeout) and July 1, 2026. Pattern: Tailscale says "fine," TCP says "no." Always check the Network Extension state.

5. **Always test BOTH directions before assuming connectivity.** We tested Mini→MacBook (failed), confirmed LAN→MacBook SSH worked. That single data point ("LAN works, Tailscale IP doesn't") was the entire diagnostic — it pointed at the MacBook's tunnel, not the LAN.

6. **macOS firewall was a red herring.** Tailscale Network Extensions are auto-allowed through the Application Firewall when activated. The "is it the firewall?" detour added confusion. Jump to `systemextensionsctl` first.

---

## Key File Paths

- Mac Mini guide file: `/Users/daniel/Desktop/ict_rbNhlJSXDaA_guide.md`
- Mac Mini HTTP server: PID 32546, listening on `:8765`, `python3 -m http.server`
- Mac Mini Tailscale: `/Applications/Tailscale.app/Contents/MacOS/tailscale` (v1.98.5)
- Mac Mini team ID: `W5364U7YZB`
- Tailscale ACL admin: `https://login.tailscale.com/admin/acls/<tailnet>`

## Commands That Worked (Reference)

**Test Funnel from anywhere:**
```bash
curl -sS -o /dev/null -w "HTTP %{http_code} | %{size_download} bytes | %{time_total}s\n" --max-time 5 \
  https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md
```

**Check Network Extension health on macOS:**
```bash
systemextensionsctl list | grep -i tailscale
```

**Tailscale state cross-check:**
```bash
tailscale status
tailscale funnel status
```

**LAN reachability probe:**
```bash
nc -z -v -G 3 <ip> <port>
```

---

## Status: FIXED (pending verification)

Root cause identified and fixed via reboot. Verification pending — need to confirm MacBook browser can now reach `https://daniel-ocs-mac-mini.tail03bebd.ts.net/ict_rbNhlJSXDaA_guide.md`.