PFsense will not let me choose tailscale as a network or alias
-
I just setup my 3rd pfsense firewall for customer3. When I try to create the NAT outbound rule, it will NOT let me select a NAT address other then WAN or LAN.
The other customers NAT address if TailScaleip but if I enter this into the translation, it errors and will not let me save it.
-
I'm in the same boat, it was working perfectly and then I noticed it stopped and now if I try to save the config again it says it can't do it.
-
@cmcdonald
maybe pin one of the more recent youtube commends / edit the youtube description to note the changes to the Outbound NAT dialog ?
A Tailscale Package for pfSense [Youtube]There's a youtube comment reply from mid December, that mentions this work around, but it is buried.
@8095945088 1 month ago Use network or alias and put the tailscale ip address 100.xx.xx.xx it should work fine.There's a redmine on this -
Regression #14987 closed as not a bug
post #8 from Danilo Zrenjanin has a work aroundAs a workaround, you can define an IP Alis VIP using localhost as the Parent interface and the Tailscale address of that node for IP. In the outbound NAT rule, the VIP address defined in the previous step will be available in the drop-down menu. -
@ay thank you
Will this break is tailscale signs a different ip to this device?
-
Hi,
i played arround a bit with pfsense 2.7.2 and for now i found a fix for myself....
you can add a rule manually under Diagnostic -> Edit file you can edit the config file /cf/conf/config.xml
under the section NAT you have to enter manually
it looks like:
<nat> <outbound> <mode>hybrid</mode> <rule> <source> <network>any</network> </source> <sourceport></sourceport> <descr><![CDATA[NAME OF THE CONNECTION]]></descr> <target>Tailscaleip</target> <interface>Tailscale</interface> <poolopts></poolopts> <source_hash_key></source_hash_key> <destination> <network>YOUR LOCAL NETWORK IE 192.168.2.0/24</network> </destination> <created> <time>1694703053</time> <username><![CDATA[admin@10.10.1.254 (Local Database)]]></username> </created> <updated> <time>1694703198</time> <username><![CDATA[admin@10.10.1.254 (Local Database)]]></username> </updated> <target_subnet></target_subnet> </rule>After saving the file go to Firewall -> NAT -> Outbound.... you see that the rule is active however it doesn't work.... mark it and click toggle to change the state to disable after applying you make the same again to enable the rule again.... afterwards it's running without an issue :)
I know it's a bit complicated however till this will be solved (fingerscrossed) it's the way how i do this and it's work perfectly for me even on new installed pfsenses :)
I hope i could help you and some others a bit...
-
M mcury referenced this topic on
-
This issue has been reported on the bug tracker:
https://redmine.pfsense.org/issues/14987An easy fix is to create an host alias for your local IPv4 tailscale ip (run tailscale ip in shell to see it)
Then you can create a new outbound rule using this alias (you can also see in my screenshot older rules created with pfsense 2.6.0 and automatically recreated after 2.7.2 update, but these rules are no more compatible with the new GUI and cannot be edited in the web interface) :
-
I am having trouble getting this to work.
Will this work behind a double NAT? I have pfSense behind another Mikrotik 4G router. I have confirmed too that I can ping the remote host subnet via pfSense directly just not behind the pfSense LAN, So I'm guessing the double NAT is not an issue.
Also, for the NAT rule,
Would the source be the Source Network of the pfSense LAN, and the destination be the final Destination Network of the other network behind tailscale?
Then the NAT Address would be the tailscale IP of the other side network.
IE>>
pfSense network = 192.168.10.0/24
Remote Network = 192.168.20.0/24
pfSense Tailscale = 100.90.20.10
Remote Tailscale = 100.90.42.2Would my NAT entry look like this.
Thanks
