Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tailscale subnet routes, exit nodes & pfSense firewall rules

    Scheduled Pinned Locked Moved
    Tailscale
    1
    1
    66
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josh256
      last edited by

      Figured out what's going on with respects to [pfSense hosted] Tailscale subnet routes & exit nodes along with pfSense firewall rule behaviour:

      EG: Firewall/Rules/Tailscale:

      1. Subnet Routes are not subject to pfSense Tailscale interface rules whatsoever - While subnet routes can use /32 cidr host scope TailScale ACLs would respectively be necessary for filtering to source, protocol, port, etc

      2. Exit node traffic is subject to pfSense Tailscale interface rules

      3. Exit node traffic destined to approved subnet routes will bypass pfSense Tailscale interface rules (as per #1)..

      4. Interesting one: Exit node traffic destined to unapproved subnet routes will bypass pfSense Tailscale interface rules (this one threw me off for the past 24 hours)
        EG: in an exit node scenario all approved and unapproved subnet routes essentially become overlapping, rules bypass/overrides

      5. The auto-generated network group/object "Tailscale networks" is unusable at this time resulting in errors. As all Tailscale traffic originates from the pfSense interface(s) using SNAT I don't see anything other than Tailscale ACLs for source-based policies but I'm curious as to what the future plans are for this group/object.

      PfSense 2.7.2 (RELEASE)
      TailScale 0.1.4 (Package)

      Hope this helps,
      Josh

      1 Reply Last reply Reply Quote 0
      • First post
        Last post