Enabling MetalLB L2 on Talos Control Plane Nodes

Overview

Fixing MetalLB L2 announcements on Talos Linux clusters where all nodes are control planes¹. Talos labels control plane nodes with exclude-from-external-load-balancers, which MetalLB 0.14+ honors by default. In clusters without dedicated workers, this excludes all nodes from L2 announcements, making LoadBalancer IPs unreachable from the local network.

Before You Begin

Prerequisites

• MetalLB, Longhorn, and Ingress-NGINX completed

When to Use This

This fix applies when both conditions are true:

1. Direct LAN access - You access LoadBalancer IPs from the local network, not through Tailscale. Tailscale routes traffic through its overlay network, bypassing L2 entirely.
2. All-control-plane cluster - All nodes are control planes with no dedicated workers. If you have workers, MetalLB announces on those nodes (which lack the exclusion label) and L2 works normally².

Symptoms:

• LoadBalancer IPs assigned but unreachable from LAN
• ARP shows (incomplete) for LoadBalancer IPs
• NodePort works but LoadBalancer doesn't
• No L2 status resources:

kubectl get servicel2statuses -A

Returns No resources found.

Update HelmRelease

Speaker Configuration

k8s/core/metallb/helmrelease.yaml:

spec:
  # ... existing chart/install/upgrade config ...
  values:                      # NEW
    speaker:                   # NEW
      ignoreExcludeLB: true    # NEW

Deploy Changes

Commit

git add k8s/core/metallb/helmrelease.yaml
git commit -m "fix(metallb): ignore node exclusion label for L2 announcements"
git push

Reconcile Flux

flux reconcile kustomization sync --with-source

Restart Speakers

kubectl rollout restart daemonset/metallb-speaker -n metallb-system
kubectl rollout status daemonset/metallb-speaker -n metallb-system

Verify Fix

L2 Status

kubectl get servicel2statuses -A

Should now show status entries for LoadBalancer services.

Connectivity

ping <loadbalancer-ip>

Resources