<![CDATA[Tailscale subnet routes, exit nodes & pfSense firewall rules]]>Figured out what's going on with respects to [pfSense hosted] Tailscale subnet routes & exit nodes along with pfSense firewall rule behaviour:

EG: Firewall/Rules/Tailscale:

  1. Subnet Routes are not subject to pfSense Tailscale interface rules whatsoever - While subnet routes can use /32 cidr host scope TailScale ACLs would respectively be necessary for filtering to source, protocol, port, etc

  2. Exit node traffic is subject to pfSense Tailscale interface rules

  3. Exit node traffic destined to approved subnet routes will bypass pfSense Tailscale interface rules (as per #1)..

  4. Interesting one: Exit node traffic destined to unapproved subnet routes will bypass pfSense Tailscale interface rules (this one threw me off for the past 24 hours)
    EG: in an exit node scenario all approved and unapproved subnet routes essentially become overlapping, rules bypass/overrides

  5. The auto-generated network group/object "Tailscale networks" is unusable at this time resulting in errors. As all Tailscale traffic originates from the pfSense interface(s) using SNAT I don't see anything other than Tailscale ACLs for source-based policies but I'm curious as to what the future plans are for this group/object.

PfSense 2.7.2 (RELEASE)
TailScale 0.1.4 (Package)

Hope this helps,
Josh

]]>https://forum.netgate.com/topic/190879/tailscale-subnet-routes-exit-nodes-pfsense-firewall-rulesRSS for NodeFri, 06 Mar 2026 06:21:19 GMTSun, 10 Nov 2024 13:12:08 GMT60