Issues Getting Tailscale to Work in One Direction
-
I've got a site that's using Starlink so I've set this site up with pfSense and connecting it to another office with pfsense using Tailscale.
Site A LAN <-> pfSense <->Starlink <--Tailscale--> ISP <-> pfSense <-> Site B LAN
What I Can Do:
- Site A LAN can ping the Tailscale Address from LAN and WAN pfSense Interface
- Site A WAN can ping Site B LAN
- Site B LAN can ping Site A LAN
What I Can't Do:
- Site A LAN cannot ping Site B Lan
What I've Checked:
- Firewall Rules are the same on both sides, nothing being blocked in the firewall logs either.
- Nat Rules are reflective on both sides (IE: Destination IPs are swapped)
NAT Example:
Tailscale | Source: Any | Source Port: Any | Destination: Site B LAN | Destinaton Port: Any | NAT Address: Tailscale Address | Nat Port: Any- Both Firewalls are on the same pfSense version and Tailscale version.
- Routing rules are visible in the Route Tables for LAN B and Route Advertising is Enabled on Tailscale.
Quite perplexed on this one. I had one person suggest upgrading the package of Tailscale to the most latest version using SSH but that's not fully supported by Netgate so I would prefer to try something else first.
Since Site A WAN can ping Site B LAN the only thing I can think of is it being a NAT issue since Starlink uses CGNAT but I'm not sure what I should try.
-
It's not an issue with Starlink. If that was going to fail it would be in the SiteB to SiteA direction and that's working.
It could be a firewall rule at site B. You might not see anything logged if you have a custom block rule.
It could be a policy routing rule at SiteA forcing traffic out of the WAN directly.
It could be a NAT issue. I wouldn't expect to see NAT between the LANs though. The tailscale traffic itself will obviously be NAT'd on the WANs.
Try this. Start a continuous ping from a host in LAN A towards something in LAN B.
Check the state table (Diag > States) at Site A. Where is that traffic opening states?
If it's correctly on the LAN and tailscale interfaces then check the states at site B.Steve
-
Site B to Site A opens states correctly.
Site A to Site B shows pass rules for traffic to Site B but does not show any states.
-
When you try to ping from A to B there are no states created?!
-
Looks like it.
So, I took a machine on LAN B, did a continuous ping agains a machine on LAN A - pings are successful.
I then went into LAN B's pfSense States and filtered by the LAN A Address I'm pinging and I can see (2) States. One for the LAN Interface and one for the Tailscale Interface.
Edit: Managed to get 1 state to show. Doing this in reverse from Lan A to Lan B, I get 1 state for the LAN interface but nothing for Tailscale.
-
Ok so I took LAN 2 interface (unused) on Site A's pfSense, gave it a static IP, and advertised its route on tailscale.
Ironically, I can ping Site B's LAN from the LAN 2 Interface, but not LAN 1.....
-
Figured out the problem... I knew it was going to be something stupid when I finally figured it out.
Orginally, Site A was going to use a traditional ISP so we setup a IPSEC tunnel to the main office. That plan fell through and we switched to Starlink which requires Tailscale.
Forgot about the IPSEC entry which means there was a Phase 2 entry for Site B.
Deleted the IPSEC entry and all is good.
-
Ah, yes IPSec will grab that traffic and it's not obvious.
