Tailscale subnet routes, exit nodes & pfSense firewall rules
-
Figured out what's going on with respects to [pfSense hosted] Tailscale subnet routes & exit nodes along with pfSense firewall rule behaviour:
EG: Firewall/Rules/Tailscale:
-
Subnet Routes are not subject to pfSense Tailscale interface rules whatsoever - While subnet routes can use /32 cidr host scope TailScale ACLs would respectively be necessary for filtering to source, protocol, port, etc
-
Exit node traffic is subject to pfSense Tailscale interface rules
-
Exit node traffic destined to approved subnet routes will bypass pfSense Tailscale interface rules (as per #1)..
-
Interesting one: Exit node traffic destined to unapproved subnet routes will bypass pfSense Tailscale interface rules (this one threw me off for the past 24 hours)
EG: in an exit node scenario all approved and unapproved subnet routes essentially become overlapping, rules bypass/overrides -
The auto-generated network group/object "Tailscale networks" is unusable at this time resulting in errors. As all Tailscale traffic originates from the pfSense interface(s) using SNAT I don't see anything other than Tailscale ACLs for source-based policies but I'm curious as to what the future plans are for this group/object.
PfSense 2.7.2 (RELEASE)
TailScale 0.1.4 (Package)Hope this helps,
Josh -