@manupfdude Thanks for the info. If I understand correctly, pfSense Tailscale package will ensure tailscaled is running all the time even after reboot, yet Tailscale is actually using your command to authenticate itself, right? The KEY entered in the pfSense Tailscale UI has already expired(or you can enter fake KEY there).

@slu Better to update your pfSense since this version is EOL: https://docs.netgate.com/pfsense/en/latest/releases/versions.html#id19 I work remotely 6-7 days a week and can't afford any issues without testing first and having the ability to roll back. I have a cold spare appliance I can physically swap out. I typically wait for a long holiday weekend. Also not pleased about the lack of an offline installer image. Makes the offline restore a lot more complicated Install 2.7.2 using offline image with current config.xml on flash drive Upgrade to 2.8.1 in place.

@totalimpact in my case I dsid not reboot the router, after I copied the new key tailscale went online.

With Tailscale, I just recommend sticking with the FreeBSD15 version. Yes, it may currently work using the FreeBSD 14 package despite being on 15, but any number of other updates could result in that not being the case anymore. Not to mention the fact that any updates newer than 1.84.2_1 don't really impact functionality for what people would be using Tailscale for with PfSense so updating past that is not an absolute necessity. I run 1.86.4 on my desktop+phone and 1.84.2_1 on my pfsense router. Phone commonly uses the PfSense router as an exit node and there's no difference for PfSense. TL;DR: Better to be safe than sorry and stick with the FreeBSD 15 version even if it's not the latest version of Tailscale.

Any luck getting this fixed? I am running into the exact same issue with my setup. Latest Headscale (0.26.1), PFSense 2.7.2, and Tailscale package 1.84.2 installed on PfSense.

@maxpol @TravisH Did you get this resolved? I have th esame issues or very similiar. The first tailnet client works, then when i add additional ones they sometimes work, but majoritvly they fail. PFSense+ latest f/w. All endpoint showing online in tailscale status within pfsense and also on the tailscale portal. Thanks

Thank you, @elvisimprsntr, I did that and it worked beautifully.

From TS support "I’m Kelly from the Tailscale support team. Thanks for reaching out! This is a common point of confusion- Even with the “Key Expiry: Disabled” option selected in the Tailscale web UI, that only applies to machines authenticated via the web login. You need to generate a Reusable, Ephemeral = false, Pre-Auth Key via the Tailscale admin panel, and use that on the pfsense."

@Gertjan Thanks for the reply! Thats what I was afraid of. We have 100s of pfsense/tailscale nodes that we don't have UI access to. We use Ansible to automatically configure them in a remote fashion, everything was fine until this routes issue. But I will check out the link. Thanks again!