Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can pfSense route to a Tailscale subnet without NAT?

    Scheduled Pinned Locked Moved Tailscale
    3 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonsed
      last edited by

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • J
        jonsed
        last edited by jonsed

        Not had any response to this so thought I'd try and describe the scenario more succinctly.

        Home network: 2 VLANs, 10.0.1.0/24 and 10.0.2.0/24; pfSense configured as per Christian McDonald's video.

        10.0.3.0/24 subnet in Azure containing a VM; I start Tailscale with:

        --accept-routes --advertise-routes=10.0.3.0/24 --snat-subnet-routes=false

        After accepting both routes in the Tailscale portal, all three (V)LANs can ping each other.

        However, the Azure VM sees all the traffic as coming from the pfSense Tailscale IP, because of the NAT rules.

        Is it possible to route to the 10.0.3.0/24 subnet without NAT'ing? I'd like the Azure subnet to "appear" as another local VNET.

        I don't need NAT rules from 10.0.1.0 to 10.0.2.0, for instance - can I do without NAT going from 10.0.1.0 to 10.0.3.0?

        Tailscale docs suggest "--snat-subnet-routes=false" is needed, but it's not supported in pfSense.

        I've tried setting "Do not Nat" on the Outbound NAT rules - if I do that, Azure VM can see the IPs of the requests from the local lans, but the responses don't make it back to the clients so DNS doesn't work. I'm not sure how to diagnose where they're getting lost.

        Is there a way I've not thought of?

        Cheers.

        C 1 Reply Last reply Reply Quote 0
        • C
          cyrus104 @jonsed
          last edited by

          @jonsed, very sorry I can not help with this but I'm running into the exact same issue. I would also like to get to the Tailscale 100. addresses from machines behind my pfsense router, pfsense can get to them from a shell just fine but none of the edge clients.

          Good luck.

          1 Reply Last reply Reply Quote 0
          • J jonsed referenced this topic on
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.