24.11

pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.82.5.pkg

All good, connected happily to headscale 0.26.0

@jacobhall

I was on the stock version (pfsense community 2.7.2) of tailslcale connecting to headscale.

I upgraded tailscale client on pfsense to 1.82.5 while leaving headscale unchanged. I was able to reproduce the problem -- my android tailscale client cannot resolve dns when using the tailscale client on pfsense as an exit node. If I disable "Use tailscale DNS" on my android client, internet connectivity works.

I am going to leave it broken for now, if anyone wants me to try different things. Thanks.

Thank you, @elvisimprsntr, I did that and it worked beautifully.

From TS support

"I’m Kelly from the Tailscale support team. Thanks for reaching out! This is a common point of confusion- Even with the “Key Expiry: Disabled” option selected in the Tailscale web UI, that only applies to machines authenticated via the web login.

You need to generate a Reusable, Ephemeral = false, Pre-Auth Key via the Tailscale admin panel, and use that on the pfsense."

@Gertjan

Thanks for the reply! Thats what I was afraid of. We have 100s of pfsense/tailscale nodes that we don't have UI access to. We use Ansible to automatically configure them in a remote fashion, everything was fine until this routes issue. But I will check out the link.

Thanks again!

@IanMcLeish said in Tailscale not online:

I got it!

great 👍

I want to improve the script above to make it "force" direct connections.

Another issue with this script is that its pinging only once and if that ping fails, it stops and then starts the service.

I think it would be much better if the script pings 10 times, and if 10 out of 10 fails, it will restart the service.
This would increase the reliability of the script and also in the same time, make connections leave the relay and connect directly.

But I'm failing to do so, any ideas to improve the code with the insights above in mind ?

Edit:

I think I got it..

1- It will ping "headquarters" 10 times using tailscale.
This will help connections through tailscale prefer "direct" instead of relay.
2- If at least one of the tailscale ping works, it won't do anything.
This will avoid the service to being brought down every time.
3- If all pings fails, it will restart the tailscale service.

#!/bin/sh DEST="headquarters" SUCCESS=0 COUNT=0 while [ $COUNT -le 9 ] do for DEST in $DEST do COUNT=`expr $COUNT + 1` tailscale ping --c 1 -timeout 1s $DEST >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi done done if [ $SUCCESS -ge 1 ] && [ $COUNT -eq 10 ] then exit 0 else /usr/local/sbin/pfSsh.php playback svc stop tailscale sleep 5 /usr/local/sbin/pfSsh.php playback svc start tailscale sleep 5 exit 1 fi done

One important observation is, if there are more peers in the tailscale network, you can and should add them to this script.
See, if you are only pinging one host, if that host goes down, the script will take the entire tailscale service down affecting other hosts.

Code for multiple hosts

#!/bin/sh DEST="server-1" DEST1="server-2" DEST2="servier-3" SUCCESS=0 COUNT=0 while [ $COUNT -le 9 ] do for DEST in $DEST do COUNT=`expr $COUNT + 1` tailscale ping --c 1 --timeout 1s $DEST >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi tailscale ping --c 1 --timeout 1s $DEST1 >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST1 if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi tailscale ping --c 1 --timeout 1s $DEST2 >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST2 if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi done done if [ $SUCCESS -ge 1 ] && [ $COUNT -eq 10 ] then exit 0 else /usr/local/sbin/pfSsh.php playback svc stop tailscale sleep 5 /usr/local/sbin/pfSsh.php playback svc start tailscale sleep 5 exit 1 fi done

The code above will sum SUCCESS variable, and if any of the hosts answers, tailscale service will be considered to be UP and no actions will be taken.

Unfortunaetly I don't have much to add in a solution, but I seem to be in the same boat as you are. This only seems to happen on pfSense+ from what I can tell though. Have 3 boxes on CE and those work great with the NAT rule, but I can't seem to have anything behind the plus box route through the tailnet. Hopefully someone has some info no this.

@DavcoreTech

Looks like you may be running an older version of pfSense and/or Tailscale.

You might want to upgrade to latest version (1.78.1) on all clients, which may resolve some of the connection issues.

Although, Netgate has not updated the Tailscale package in some time, you can manually update

How to update to the latest Tailscale version?

You may also want to upgrade Windows 8.1, which MS officially stopped supporting on January 10, 2023

@chudak

Service Status
Shows running or not

Otherwise no widget avail might blew up the dashboard caused by the amount of possible nodes / clients on a tails scale net (filtering or show only specific clients might do the trick)

Might be a cool project for someone

Br np

I am having trouble getting this to work.

Will this work behind a double NAT? I have pfSense behind another Mikrotik 4G router. I have confirmed too that I can ping the remote host subnet via pfSense directly just not behind the pfSense LAN, So I'm guessing the double NAT is not an issue.

Also, for the NAT rule,

Would the source be the Source Network of the pfSense LAN, and the destination be the final Destination Network of the other network behind tailscale?

Then the NAT Address would be the tailscale IP of the other side network.

IE>>

pfSense network = 192.168.10.0/24
Remote Network = 192.168.20.0/24
pfSense Tailscale = 100.90.20.10
Remote Tailscale = 100.90.42.2

Would my NAT entry look like this.

bf2e3c74-f2e2-4b0a-afeb-86630f0964bc-image.png

Thanks