connecting 3 sites with OPENVPN took a couple of days of trial and error, a couple of minutes with this package! thank you

I was skimming and almost missed the Outbound NAT rule at 27:30 . Working now in a lab, THANKYOU!

This was an excellent walk-through. Just started looking into Tailscale and how I could dive deeper into it to better understand it's inner workings and this was a definite help with that.

we missed you and your videos.

As usual great work. Looking forward to the release.

Thanks for this video! The outbound NAT rule was what I was missing to get my site-to-site configuration working well

Thank you for doing this. Super easy to set up, and works perfectly.

Thank you for your contributions. Everything is working and scales very well.

Fantastic - you are a natural!

Excellent work Chris!! loved your material and detail on the explanation

Thank you SO much for this package and guide, it was enough for me to get the subnet routing to work.

Thank you very much for this video. I already use tailscale on my unraid server and other machines and devices. Now I have it installed on my pfsense router! It works great. Great tutorial!

Using your Wireguard implementation in my pfsense homelab setup, works great! I can now manage my home network via my phone. Thanks for all your hard work, much appreciated.

Awesome, I will be refreshing that package every day. Your config video for Wireguard with Mullvad got me working with Windscribe, but have been looking to get a site to site VPN set up, and this is going to be what I try!

Thank you for your work

Thanks for your great work Christian. I really appreciate the technical accuracy and clarity of your description, espcially for a (moderately) knowledgable networking person such as myself. One quick question - if one has beefy hardware (eg an SG5100 for home use), will that overcome the inefficiency of the tailscale userspace wireguard implementation?

Cannot wait to drop my Linux VM's I use for subnet routers and implement this on my edge Pfsense! Thanks for the hard work! I may check out Headscale as well.. Tailscale keeps yelling at me for not paying even though i'm using multiple subnet routers lol

You sir are amazing!!! thanks a lot for these awesome features!! Been testing tailscale a bit and it looks very promising!

Awesome job! I loved the video, and really appreciate the walkthrough. You're a great guide. One thing I would recommend updating (maybe I missed this) is that you have to accept the routes being advertised on the tailscale machines page. Other wise the advertising won't work just through saving it in pfsense.

This is really nice. I've built my own WireGuard mesh network for centrally managing a few hundred pfSense installs, I can see Tailscale being great for smaller teams where rolling your own solution doesn't make sense.

Great work and good explanations!

Awesome video!! Thank you!

Thanks for this great walkthrough, Christian! You might want to blur your email address in Routing Limitations video segment, though.

great video!

Great video,... i can't wait to try it 🙏

Thanks for putting this video together. Is it still necessary to create the outbound NAT rules? I tried setting this up, and I can't specify "Tailscale address" for the NAT Address. Has the procedure changed, or did I do something wrong?

A secondary goal of this effort to debug Tailscale's UPnP\Nat-PCP compatibility with pfSense would also be welcome. It seems to work great at home on my Ubiquiti ER-X but our work machines behind PFsense don't seem to be able to request open ports. Other apps like Parsec have no trouble requesting open ports.

Great video please keep it up..

Thanks for your most awesome content, would love for you to make a episode on how to setup DNS/Acme/HAproxy and SSL for "Homelabs" and SMBs

why did you stop making videos??? this one was excellent!

Excellent teacher, I will follow this service, went u plan to enable the firewall to let us apply rules on the interface? thanks.

NICE. Iv been waiting for a reason to jump on the Tailscale bandwagon!

Is the Outbound NAT rule still necessary or maybe set under the hood by the package already? testing this in dec-2023 and I can't even choose "Tailscale address" as NAT interface in a new Outbound NAT rule. Trying to route to a subnet connected via IPSEC ...

Greatly appreciate all your work and effort on such a excellent product - absolutely love pfSense. Following your information I was able to setup Tailscale with the greatest of ease. One question comes to mind - Will there eventually be a Tailscale widget for the home screen like the other options available? Again thank you and greatly appreciate your time.

Thanks for this awesome indepth video. But how can you ping devices on the tailscale network from behind the pfSense? I tried to setup a outbound NAT rule but the nat alias is missing. I've tried to setup it via an network alias, but this isn't working sadly. Seems this part is broken in the latest 23.09.1 update.

I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx

Thanks!

Excellent tutorial! Had site to site (one site behind double NAT) Tailscale up and running in 30 minutes. Any chance multicast (aka. Bonjour) can be advertised across Tailnet to allow automatic discovery? Maybe with rules or IGMP proxy in pfSense?

How do I get the tailscale address option for the NAT address?

I added the NAT Outbound rules for tailscale on my networks. However my phone still cannot establish a direct connection (only relayed). Is the only option to enable NAT-PMP ? Are there any drawbacks to that ?

great explanation, I have one question for yourself or anyone else reading this, so in this site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router

Any plans coming down to control tailscale access using PF firewall rules. As "fun" as it is to write .JSON its clearly easier to maintain using the firewall

Great video, do you have a plan to make a similar introduction and deep dive for the ZeroTier package on pfSense?

Thanks Christian, great explanation. Is there a way I can route TS traffic through HA-Proxy? WAN > TS > HA-Proxy > MyService Is that possible?

So, it appears the when you do source nat for tailscale, ACL's don't work properly. Destination NAT at the final pfsense tailscale node appears to work. Does ACL get checked by every tailscale node or only those that advertise the route?

Great job Christian, thanks for this update

14:18 - I have a question about this listening port. For some reasons external devices that are behind their own NAT that can't be punched through fail to establish a direct connection with the pfsense firewall, even if I have an allow rule in WAN. However, any devices behind the pfsense firewall can establish a direct connection for inbound attempts. What gives that the pfsense firewall itself is not able to receive inbound direct connection attempts? I tried static port via manual NAT rules, upnp, etc.

Nice. :D Thank you for the good work :D

A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network. Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...

Tailscale is ❤

Trying out Tailscale... I have a SiteA(pfSense)-to-SiteB(pfSense) with both using Tailscale. I have SiteA set as 'Exit Node'. How do I force SiteB to use SiteA as 'Exit Node'?

I cannot get my subnets to show. I think I am missing a firewall rule or settings that allows you to see the subnet

Maybe I'm stupid or I miss somethinh essential. When I try to set up the Hybrid Outbound NAT I stumble on some problem. I set Interface to Tailscale as you showed, I set Source to Network or Alias and insert the subnet of my LAN interface Then down at Translation when I try to set Address to Tailscale address I can't find it in the dropdown list. I first thought you made an alias, but I see a space. Why can't I see the Tailscale Address under Translation Address?

Would be great if something simular can be done for Zerotier, so I don't need to spin up a VM for it.

@Christian, I have a use case where I'm trying to block one port from a PC but allow everything else to traverse the tailscale VPN. I think I have to do this through ACL but I have read the documentation and still can't figure it out. Any help would be appreciated!

Hi Christian, do you have some material about wireguard+ospf, cause i know that wireguard cant use multicast, how can i solve this? thank u

seems like on pfsense new version (23.09) you cannot assign NAT translation to Tailscale IP / 32. anyone experience this or am I missing something. I was able to follow instructions with out a problem on the last version

great video... just need to up the audio! :)

is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?

i'm at my wits end. I have two pfsense devices 1. PFSense Plus behind StarLink and 2. PFSense CE behind T-Mobile. I have tailscale running on both with nat rules on both and I can get from the Tmobile device to the StarLink device but I can't get from the StarLink device to the TMobile device. both show routes correctly in pfsense and both ping using tailscale ping but when I tried to reach the Tmobile router from the StarLink Router I get nothing. HELP! I have scanned the web and watched every YT video I can... don't know what's happening. ... only thing I can think is starlink is a 100. network....$ This doesn't happen if i'm on a phone using tailscale and try to get to either. I can get to both via my phone just not from the starlink device to the tmobile device.

I found a strange bug. I struggled for hours. Why won't it work? In the Advertised Routes section, I had a blank line below the route I wanted. Once I deleted the blank line it worked just fine! Maybe when you parse the dialog box it creates wrong json if there is a blank line.

I wasn't able to establish functioning WireGuard connections with pfsense. I use ipsec of my routers for now. Am I correct that tailscale an easier implemention of WireGuard so I can retry?

Tack!

Why am I not getting Tailscale as translation address?

Would be great in the future if Tailscale wireguard for bsd can allow source nat to be disabled, just as we can in Linux with --snat-subnet-routes=false

Hi, PfSense (and networking) newbie here. Having Tailscale installed on PfSense, from PfSense machine itself I can ping a remote device by its Tailscale IP. Now, how can my LAN devices behind my PfSense router also ping that remote Tailscale IP ? Thank you.

it was also cool if pfsense had a gpon setup function, I so dream of removing the provider's wi-fi router so that I can do without a router and connect the optics directly to pfsense

You can do the same scheme but with a third site. greetings

Como cria site to site no pfsense pelo teilscale?

Solved!! ... Wrong start up command for the linux machine ... should use "sudo tailscale up --accept-routes" not "sudo tailscale up" ... How to ping the computers behind the pfsense box? I have tailscale running on my pfsense box with subnets enabled in the control server and there are computers behind the pfsense box. I have tailscale running on my linux machine in another location (has its' own tailscale IP). The computers behind the pfsense box can ping the tailscale IP of the linux machine. The linux machine can ping the tailscale IP of the pfsense box (I can even sign into the pfsense box from the linux machine) but how do I get the linux machine to access any of the computers behind the pfsense box??

Hi Bro can you please make a detailed step by step video on configuring Pfsense OpenVPN with split tunneling & configure Ubuntu as a VPN client. Please, it's a request. Kindly reply Thanks & regards,

PLEASE PLEASE PLEASE 🙏 Can we finally have MultiWAN FAILBACK AS I HAVE over 12 accounts running EDGEROUTER appliances which failback works flawlessly when having metered LTE WAN Connections 🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏 These clients have requested more powerful m/capable hardware and PFSENSE would be the perfect solution if it had failback function for multi-WAN 🙏🙏🙏🙏

How does this compare to ZeroTier?

why don't we have an api to create voucher for the captival portal on the fly ?

Probed Nebula VPN

why pfsense will not control traffic tailscale...WTF, i should trust to tailscale .....by fact i will not trust, and by that reason rules on tailscale admin panel will not help me to trust 22:00

Its been a couple of months trying TS and its really so unimpressive from a scalability perspective. The documentation is Ok-ish when it comes time to implement ACLs but the whole point of this level of control on a firewall is to have the Firewall control access through rules and have some auditing of what is hitting those rules. All pfsense is doing here is just a router. No firewall rules. No restrictions. This just isnt ready for an enteprise IMO. Keep it in the home lab or maybe a small business where traffic control isnt needed. Hard pass.