A Tailscale Package for pfSense!

I was skimming and almost missed the Outbound NAT rule at 27:30 . Working now in a lab, THANKYOU!

connecting 3 sites with OPENVPN took a couple of days of trial and error, a couple of minutes with this package! thank you

This was an excellent walk-through. Just started looking into Tailscale and how I could dive deeper into it to better understand it's inner workings and this was a definite help with that.

As usual great work. Looking forward to the release.

Excellent work Chris!! loved your material and detail on the explanation

You sir are amazing!!! thanks a lot for these awesome features!! Been testing tailscale a bit and it looks very promising!

Thank you for doing this. Super easy to set up, and works perfectly.

Thank you for your contributions. Everything is working and scales very well.

Thank you SO much for this package and guide, it was enough for me to get the subnet routing to work.

Thanks for this video! The outbound NAT rule was what I was missing to get my site-to-site configuration working well

Great work and good explanations!

Thank you very much for this video. I already use tailscale on my unraid server and other machines and devices. Now I have it installed on my pfsense router! It works great. Great tutorial!

Awesome, I will be refreshing that package every day. Your config video for Wireguard with Mullvad got me working with Windscribe, but have been looking to get a site to site VPN set up, and this is going to be what I try!

Great video,... i can't wait to try it 🙏

Fantastic - you are a natural!

Awesome video!! Thank you!

why did you stop making videos??? this one was excellent!

Thank you for your work

Nice. :D Thank you for the good work :D

This is really nice. I've built my own WireGuard mesh network for centrally managing a few hundred pfSense installs, I can see Tailscale being great for smaller teams where rolling your own solution doesn't make sense.

Great video please keep it up..

great video!

Awesome job! I loved the video, and really appreciate the walkthrough. You're a great guide. One thing I would recommend updating (maybe I missed this) is that you have to accept the routes being advertised on the tailscale machines page. Other wise the advertising won't work just through saving it in pfsense.

Cannot wait to drop my Linux VM's I use for subnet routers and implement this on my edge Pfsense! Thanks for the hard work! I may check out Headscale as well.. Tailscale keeps yelling at me for not paying even though i'm using multiple subnet routers lol

Thanks for this great walkthrough, Christian!
You might want to blur your email address in Routing Limitations video segment, though.

Thanks for your most awesome content, would love for you to make a episode on how to setup DNS/Acme/HAproxy and SSL for "Homelabs" and SMBs

Greatly appreciate all your work and effort on such a excellent product - absolutely love pfSense. Following your information I was able to setup Tailscale with the greatest of ease. One question comes to mind - Will there eventually be a Tailscale widget for the home screen like the other options available? Again thank you and greatly appreciate your time.

Thanks!

Thanks for your great work Christian. I really appreciate the technical accuracy and clarity of your description, espcially for a (moderately) knowledgable networking person such as myself. One quick question - if one has beefy hardware (eg an SG5100 for home use), will that overcome the inefficiency of the tailscale userspace wireguard implementation?

Using your Wireguard implementation in my pfsense homelab setup, works great! I can now manage my home network via my phone.
Thanks for all your hard work, much appreciated.

NICE. Iv been waiting for a reason to jump on the Tailscale bandwagon!

seems like on pfsense new version (23.09) you cannot assign NAT translation to Tailscale IP / 32. anyone experience this or am I missing something. I was able to follow instructions with out a problem on the last version

Excellent teacher, I will follow this service, went u plan to enable the firewall to let us apply rules on the interface? thanks.

Great video, do you have a plan to make a similar introduction and deep dive for the ZeroTier package on pfSense?

Excellent tutorial! Had site to site (one site behind double NAT) Tailscale up and running in 30 minutes. Any chance multicast (aka. Bonjour) can be advertised across Tailnet to allow automatic discovery? Maybe with rules or IGMP proxy in pfSense?

Great job Christian, thanks for this update

great explanation, I have one question for yourself or anyone else reading this, so in this site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router

A secondary goal of this effort to debug Tailscale's UPnP\Nat-PCP compatibility with pfSense would also be welcome. It seems to work great at home on my Ubiquiti ER-X but our work machines behind PFsense don't seem to be able to request open ports. Other apps like Parsec have no trouble requesting open ports.

I added the NAT Outbound rules for tailscale on my networks. However my phone still cannot establish a direct connection (only relayed). Is the only option to enable NAT-PMP ? Are there any drawbacks to that ?

Thanks Christian, great explanation.
Is there a way I can route TS traffic through HA-Proxy? WAN > TS > HA-Proxy > MyService
Is that possible?

great video... just need to up the audio! :)

Tack!

Is the Outbound NAT rule still necessary or maybe set under the hood by the package already? testing this in dec-2023 and I can't even choose "Tailscale address" as NAT interface in a new Outbound NAT rule. Trying to route to a subnet connected via IPSEC ...

Tailscale is ❤

14:18 - I have a question about this listening port. For some reasons external devices that are behind their own NAT that can't be punched through fail to establish a direct connection with the pfsense firewall, even if I have an allow rule in WAN. However, any devices behind the pfsense firewall can establish a direct connection for inbound attempts. What gives that the pfsense firewall itself is not able to receive inbound direct connection attempts? I tried static port via manual NAT rules, upnp, etc.

A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network.
Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...

Hi Christian, do you have some material about wireguard+ospf, cause i know that wireguard cant use multicast, how can i solve this? thank u

are there any updates regarding the kernel implementation? Nat sucks ;-) routing the internal network on layer 3 would be awesome

@Christian, I have a use case where I'm trying to block one port from a PC but allow everything else to traverse the tailscale VPN. I think I have to do this through ACL but I have read the documentation and still can't figure it out. Any help would be appreciated!

So, it appears the when you do source nat for tailscale, ACL's don't work properly. Destination NAT at the final pfsense tailscale node appears to work. Does ACL get checked by every tailscale node or only those that advertise the route?

Thanks for this awesome indepth video. But how can you ping devices on the tailscale network from behind the pfSense? I tried to setup a outbound NAT rule but the nat alias is missing. I've tried to setup it via an network alias, but this isn't working sadly. Seems this part is broken in the latest 23.09.1 update.

I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx

Any plans coming down to control tailscale access using PF firewall rules. As "fun" as it is to write .JSON its clearly easier to maintain using the firewall

it was also cool if pfsense had a gpon setup function, I so dream of removing the provider's wi-fi router so that I can do without a router and connect the optics directly to pfsense

Would be great if something simular can be done for Zerotier, so I don't need to spin up a VM for it.

is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?

I cannot get my subnets to show. I think I am missing a firewall rule or settings that allows you to see the subnet

Trying out Tailscale... I have a SiteA(pfSense)-to-SiteB(pfSense) with both using Tailscale. I have SiteA set as 'Exit Node'. How do I force SiteB to use SiteA as 'Exit Node'?

How do I get the tailscale address option for the NAT address?

i'm at my wits end. I have two pfsense devices 1. PFSense Plus behind StarLink and 2. PFSense CE behind T-Mobile. I have tailscale running on both with nat rules on both and I can get from the Tmobile device to the StarLink device but I can't get from the StarLink device to the TMobile device. both show routes correctly in pfsense and both ping using tailscale ping but when I tried to reach the Tmobile router from the StarLink Router I get nothing. HELP! I have scanned the web and watched every YT video I can... don't know what's happening. ... only thing I can think is starlink is a 100. network....$ This doesn't happen if i'm on a phone using tailscale and try to get to either. I can get to both via my phone just not from the starlink device to the tmobile device.

Como cria site to site no pfsense pelo teilscale?

You can do the same scheme but with a third site.
greetings

Maybe I'm stupid or I miss somethinh essential.
When I try to set up the Hybrid Outbound NAT I stumble on some problem.
I set Interface to Tailscale as you showed, I set Source to Network or Alias and insert the subnet of my LAN interface
Then down at Translation when I try to set Address to Tailscale address I can't find it in the dropdown list. I first thought you made an alias, but I see a space.
Why can't I see the Tailscale Address under Translation Address?

Would be great in the future if Tailscale wireguard for bsd can allow source nat to be disabled, just as we can in Linux with --snat-subnet-routes=false

I found a strange bug. I struggled for hours. Why won't it work? In the Advertised Routes section, I had a blank line below the route I wanted. Once I deleted the blank line it worked just fine! Maybe when you parse the dialog box it creates wrong json if there is a blank line.

Hi, PfSense (and networking) newbie here.
Having Tailscale installed on PfSense, from PfSense machine itself I can ping a remote device by its Tailscale IP.
Now, how can my LAN devices behind my PfSense router also ping that remote Tailscale IP ?
Thank you.

I wasn't able to establish functioning WireGuard connections with pfsense. I use ipsec of my routers for now. Am I correct that tailscale an easier implemention of WireGuard so I can retry?

Solved!! ... Wrong start up command for the linux machine ... should use "sudo tailscale up --accept-routes" not "sudo tailscale up" ...
How to ping the computers behind the pfsense box?
I have tailscale running on my pfsense box with subnets enabled in the control server and there are computers behind the pfsense box. I have tailscale running on my linux machine in another location (has its' own tailscale IP). The computers behind the pfsense box can ping the tailscale IP of the linux machine. The linux machine can ping the tailscale IP of the pfsense box (I can even sign into the pfsense box from the linux machine) but how do I get the linux machine to access any of the computers behind the pfsense box??

PLEASE PLEASE PLEASE 🙏 Can we finally have MultiWAN FAILBACK AS I HAVE over 12 accounts running EDGEROUTER appliances which failback works flawlessly when having metered LTE WAN Connections 🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏
These clients have requested more powerful m/capable hardware and PFSENSE would be the perfect solution if it had failback function for multi-WAN 🙏🙏🙏🙏

why don't we have an api to create voucher for the captival portal on the fly ?

How does this compare to ZeroTier?

Probed Nebula VPN

why pfsense will not control traffic tailscale...WTF, i should trust to tailscale .....by fact i will not trust, and by that reason rules on tailscale admin panel will not help me to trust 22:00

Its been a couple of months trying TS and its really so unimpressive from a scalability perspective. The documentation is Ok-ish when it comes time to implement ACLs but the whole point of this level of control on a firewall is to have the Firewall control access through rules and have some auditing of what is hitting those rules. All pfsense is doing here is just a router. No firewall rules. No restrictions.
This just isnt ready for an enteprise IMO. Keep it in the home lab or maybe a small business where traffic control isnt needed. Hard pass.