After re-authing, the `tailscale0` interface is not a member of the `Tailscale` group, thus firewall blocks all incoming traffic

luckman212

Running 25.11RC (25.11.r.20251126.1732) + Tailscale 1.90.6

Yesterday after Tailscale on my pfSense got logged out for some reason, I had to re-auth using a new auth key. The service came back up and showed "Tailscale is online" in the GUI, but I noticed that my router was not accepting any incoming connections (not even ICMP).

After some twiddling around, I decided to bounce the service using pfSsh.php playback svc restart tailscale and lo and behold that "fixed" the problem.

Comparing ifconfig tailscale0 output from before and after, I noted that the Tailscale group designation was not applied to the tailscale interface when it was in the non-working state.

"before"

tailscale0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
	options=4080000<LINKSTATE,MEXTPG>
	inet 100.100.101.101 netmask 0xffffffff broadcast 100.100.101.101
	inet6 fd7a:115c:a1e0::8034:6859 prefixlen 48
===>	groups: tun  # missing "Tailscale"
	nd6 options=101<PERFORMNUD,NO_DAD>
	Opened by PID 95984

"After"

tailscale0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
	options=4080000<LINKSTATE,MEXTPG>
	inet 100.100.101.101 netmask 0xffffffff broadcast 100.100.101.101
	inet6 fd7a:115c:a1e0::8034:6859 prefixlen 48
===>	groups: tun Tailscale
	nd6 options=101<PERFORMNUD,NO_DAD>
	Opened by PID 91908

Not sure the why or how of this, but some sort of healthcheck and auto-bounce of the service would be a nice thing to add to the package, especially if someone relies on this to be working when away from the console port.

luckman212

I cobbled this little script together and set it to run every 10 min in my crontab.

#!/bin/sh

if ! ifconfig -g Tailscale | grep -q tailscale0 ; then
    logger -t tailscaled "Tailscale interface group missing, restarting service"
    pfSsh.php playback svc restart tailscale
fi

Until there's a better solution...