How to route Tailscale traffic when behind a Tailscale router

sloancli · March 11, 2024, 5:44am

I have a pfSense firewall that connects to my Tailnet. I also have one laptop with Tailscale behind the firewall. When I am outside of the local network, Tailscale can reach computers that are connected behind the firewall. However, when the laptop is behind the firewall and connected to the Tailnet, I cannot reach any systems on the local network. If I disconnect Trailcale while on the local network, everything goes back to normal.

I would like Tailscale to be seamless and just leave it connected all the time so that I do not have to connect or disconnect depending on my location. I know you can turn on local LAN access in Tailscale settings, but I have multiple subnets that are themselves connected site-to-site via Tailscale.

I’m thinking this is a NAT or static routing issue, but I have not found a solution yet. Any ideas?

elvisimprsntr · March 11, 2024, 9:13am

I can connect to my local devices, regardless if my laptop is connected directly to Tailnet or not.

Setup: 2 sites with pfSense nodes, 1 behind double NAT, multiple clients (iOS, iPadOS, tvOS, macOS), multiple users, VPN on demand for iOS clients (pfSense exit node)

I followed Christian McDonald’s video when setting it up in 2023. He has some Hybrid Outbound NAT rules near the end of the video, but I have read posts of people having trouble adding the rules has outlined in his video with later versions of pfSense. So not sure if those are relevant or not.

You might want to check some of the Tailscale client settings and/or consider enabling VPN on demand, which will allow you to automatically start Tailscale if on unknown WiFi. I am running latest Tailscale 1.61.71 beta client.