Pfsense adding Tailscale connection to an interface, any pitfalls?

tak4ever2000 · July 21, 2024, 9:42am

Hi all

Just wondering, within pfSense, are there are any pitfalls in adding Tailscale vpn connection to an interface?

I noticed that once Tailscale vpn connection is added to an interface, we are able utilise pfSense firewall to provide the access control to what Tailscale devices can or cannot access, contrast to using the ACL in Tailscale web interface.

Seem all tutorials point towards using Tailscale’s web interface to provide the necessary ACL. After seeing Tom’s video and its notes how Tailscale affects the SRC address on the packets, I can understand why the default Tailscale interface within pfSense firewall wont work.

Though what I dont understand is that, if we create a new interface, mapping it to Tailscale vpn connection, allows you to control ACL in pfSense’s firewall. Why is this approach not more talked about? Or are there major pitfalls with this approach?

So yeah, just want to see if Im missing something.

Cheers

elvisimprsntr · July 21, 2024, 9:59am

In CM’s video, he advises against adding TS to an interface.

tak4ever2000 · July 22, 2024, 9:42am

Thank you for pointing it out! I must admit, I have already watched it, but only caught its comment on advising against it on the 2nd round of watching.

Interesting he mention that by creating an interface of Tailscale, this will lead to pfSense owning the interface and may try configuring address for the connections, where this is not ideal, and would want Tailscale be doing this.

Curious to know, being that video was dated back in 2022, if back then, if an new interface was created for Tailscale, whether or not it prevented Tailscale from working properly, or if at all. Im sure by now Tailscale would be a few version beyond what was in 2022, and likewise with pfSense. Hence, would this still be a highly discouraged approach? Being that, this would allow firewalls rules to be functional in pfSense, easier management.

elvisimprsntr · July 22, 2024, 9:56am

@tak4ever2000

I manually upgraded CE 2.7.2 to 1.70.0. Now all my clients are on same version.

pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tailscale-1.70.0.pkg

tailscale version
1.70.0
  go version: go1.22.5

I use TS ACL rules to restrict access to my HDHomeRun TV tuner to invited users email addresses, who simply want watch the Miami Dolphins when overseas. If they want to watch the game on their ATV or iPad instead of their iPhone, I simply just need to send them another invite and don’t have to change any ACLs.

Don’t think you can do that with email addresses with pfSense rules. One might be able to do it with assigned TS IP addresses, but I have read reports those can change. The work around is to assign custom static TS IPs via the TS Admin interface. So you will never be able to completely eliminate the need to do some sort of configuration via the Admin interface.

// Example/default ACLs for unrestricted connections.
{
	// Declare static groups of users. Use autogroups for all users or users with a specific role.
	// "groups": {
	//  	"group:example": ["alice@example.com", "bob@example.com"],
	// },
	"groups": {
		"group:admins": ["redacted@privaterelay.appleid.com"],
		"group:hdhr":   ["redacted@gmail.com", "redacted@gmail.com"],
	},
	// Define the tags which can be applied to devices and by which users.
	// "tagOwners": {
	//  	"tag:example": ["autogroup:admin"],
	// },

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		// {"action": "accept", "src": ["*"], "dst": ["*:*"]},
		{"action": "accept", "src": ["group:admins"], "dst": ["*:*"]},
		{
			"action": "accept",
			"src":    ["group:hdhr"],
			"dst":    ["192.168.69.72:*"],
		},
	],

tak4ever2000 · July 23, 2024, 6:57am

Yes, you raise a very good point!

In that situation, using the firewall in pfSense would not be ideal, and yes, would likely be chasing one’s own tail if attempted in pfSense.

Funny, this scenario never occurred to me, though should had been an obvious one. I was only thinking of a single user point of view, restricting my own access to the internal network when out and about. However, once you have multiple users in Tailscale, you wouldnt want to do the ACL in pfSense. That makes sense now!

Cheers for that! ACL in Tailscale is the way!

Thank you @elvisimprsntr !!!