Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tailscale Mesh with a Twist

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 1 Posters 56 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcit
      last edited by

      Hello, I have a need for a tailscale mesh network, between a 6 pfsense boxes. This I have working, but there is a niche requirement for this that I am having trouble with,

      The pfsense boxes will act like as a perimeter device at each site. These boxes will host tailscale and provide the mesh network.

      There will be a client router behind each pfsense that will host the LAN for the site. The LAN subnets will need to be able to route traffic to each other via the tailscale network, but they will not know about the tailscale component. The client router will be provided an ethernet interface from the pfsense box for this purpose. It is esentialy a private network, but it is controlled by the pfsense boxes transparently. The pfsense boxes will not be part of the client LAN.

      So far I have configured it as follows in our lab:

      SiteA - pfSense:
      Talescale IP - 100.80.10.10
      LAN IP - 10.65.1.1
      Site A - client router:
      WAN IP - 10.65.1.100 [via DHCP]
      LAN IP - 10.40.1.1

      Site B - pfSense:
      Talescale IP - 100.110.10.10
      LAN IP: 10.65.2.1
      Site B - Client Router:
      WAN IP: 10.65.2.100 [via DHCP]
      LAN IP - 10.40.2.1

      I have created the an outbound NAT rule in both sites to allow any source IP from the tailscale inteface to be NAT'd to the sites' tailscale IP.
      I have created a static route on each client router where a destination of the remote LAN subnet will use the local site pfsense gateway IP.
      I have advertised both the 10.65.x.x and the 10.40.x.x subnets through tailscale.

      What works is that from either site, the client devices are able to traverse the tailscale tunel when using the 10.65.x.x addresses. However, I seem unable to get traffic to flow when using the 10.40.x.x IPs.

      Can anyone point me at where I have gone wrong on this, I am thinking I need to translate the 10.40.x.x subnet on the way out of the site, but I am not having any luck with it so far.

      1 Reply Last reply Reply Quote 0
      • M
        mcit
        last edited by

        To clarify what does work:

        What works is that from either site, a client device with an IP of 10.40.x.x is able to traverse the tailscale tunel to the other site by using the 10.65.x.x addresses. However, no device in this 10.40.x.x subnet can get to a 10.40.x.x IP at the other end.

        I realise that I am NATing the outbound connections rather than directly routing them due to the limitations of pfsense, so I am thinking I need to translate the 10.40.x.x subnet on the way out of the site, but nothing I have tried seems to work so far.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.