Access remote Tailscale device from LAN devices behind PfSense

Hi, PfSense (and networking) newbie here.

I installed Tailscale on PfSense using Tom’s Youtube video. Thank you!
From PfSense machine itself I can ping a remote device by its Tailscale IP.

Now, how can I make so that my LAN devices behind my PfSense router can also access that remote device by its Tailscale IP?

(I know I could advertise remote route, but there would be subnet conflict and I don’t need to access that whole remote subnet, only the remote machine itself.)

I tried to follow and adapt other Tom’s Videos (How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube and How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense - YouTube) but with no success.

Thank you.

The only solution is to add remote routes under Routing on the Tailscale Settings page of pfSense. You can then restrict access to individual subnet nodes within the Tailscale web interface by using ACLs.

E.g. if you expose the subnet in pfSense, then make the following ACL in Tailscale to only allow access to the node on port 443:

“acls”: [
“action”: “accept”,
“src”: [“”],
“dst”: [“,443*”],

You may want other ACLs as well. Keep in mind that the Tailscale ACLs are allow only (like any other firewall rule setup).

If the exposed subnet conflicts with a local subnet on the Tailscale client then you will properly have to change one or the other. I have heard that there might be another solution using some layer 3 trickery, but that its beyond me how this works.

Oh, that’s a bit disappointing, even if that may make sense networking-wise and have been obvious for someone in the known.
Still easier than configuring Wireguard and NAT mappings manually though.
And yes I intend to add a few ACL rules.
Thanks for the info.