TS has been especially bad behaved today, not resolving names etc. So bad in fact that I switched to OpenVPN Not sure why

@cmcdonald Hi, I wondered if you might add a little more explanation of why it's better to disable Tailscale DNS, especially in the case where subnets are advertised and the pfSense node is an exit node. Thanks.

@chudak Well, I am also running KEA and resetting Tailscale as above has worked for three restarts for me. I'm not sure that whatever lead to this issue has anything to do with KEA.

bump Nobody uses ACLs ?

@bthoven I found that using Virtual IP for my home.mydomain.com was the issue. Instead, using LAN interface IP (for my pfSense setup--> 192.168.1.1) has solved the problem.

@chudak Yes, it's likely possible. But such "extra installs" won't be backed up with a configuration backup. So one must document and keep track of all the small manual changes and twists one makes to the system and redo everything from scratch when setting up a new box or when a hw failure forces one to restore from backup. So a supported HS-server module, which stores all relevant parameters in the configuration one backs up regularly, would significantly increase peace of mind... ...also, since the people writing pfSense are a lot more familiar with security related issues, whenever I modify the standard setup with tweaks, I run an increased risk of introducing security holes. Thus someone familiar with the full system architecture and security model is much less likely to make mistakes in that regard.

@mooncaptain more urls to add to your pass list I found these are necessary after running snort for a while these url's started to get blocked. There may be more.

@munson not sure what your routing too.. If the networks are directly attached to pfsense, routes would be there. If you have some downstream router, you could route however many routes you have that are downstream.. But if you have some other router on your network this should be connected to pfsense via transit network, or sometimes called a connector network. Here is how you would setup up routes to downstream networks. [image: 1705781348889-pfsense-layer-3-switch.png] Not exactly sure what your trying to do, but if your routing to other networks over a network you have devices on, like your lan - your going to run into issues if devices on this lan network and any of your downstream networks talk to each other.. Unless your downstream network is being natted, or your portfowarding to get to them on the downstream router. or you have put host routing on the devices in your "transit" network with hosts on it.

@michmoor said in Why do I need TS installed on pfsense router?: If i try to access my pfsense tailscale IP Exactly - which is what he was trying to do, use his tailscale IP.

@chudak I can't say I have noticed any such issue, but then again really the only time I ever reboot my pfsense is on an upgrade. Or an extended power outage where it lasts longer than my ups can keep pfsense up. But those are far and few between. I will make sure to take a look next time I reboot my pfsense.. but most likey that will not be until 24.03 comes out.

@jonsed Yes this works great! There even is a TS app for AppleTV so you can actually virtually be "at home" even when you travel abroad with your AppleTV and are dependent on potentially dodgy hotel or ABnB routers. I use it all the time using my pfsense as an exit-node.

The only way I've been able to route pfsense to an exit node is to first create an interface bound to the tailscale service, add the tailscale IP address tied to your device as static, and add the exit node you want in the upstream gateway field. Then, head over to the System->Routing->Gateways settings and edit the new gateway. Disable gateway monitoring and gateway monitoring action. Lastly, go into your firewall rules for your LAN that you want going into the tailscale vpn and set the gateway for each rule to the new gateway. Your devices should be routing to the exit node now. This is not ideal, as your device IP could change at some point, but it's the only thing I got to work. I even tried pushing 0.0.0.0/1 and 128.0.0.0/1 as a subnet from the exit node to override the default route, and that worked at first, but as soon as the tailscale service itself needs to talk, it sends traffic within its own VPN and things fall apart.

@mfld said in Tailscale dashboard widget?: /status_tailscale.php Maybe do some filtering? Or set limits, like e.g. show 5 nodes?