Pfsense and tailscale addon changes

Networking & Firewalls
1

Tailscale have made it so that the outbound rules as demo’d by tom in his video no longer work

I found the following, which basically says I have to create a virtual ip now from the remote tailscale ip… Regression #14987: ``Interface Address`` is no longer an option for outbound NAT targets - pfSense - pfSense bugtracker

So these are my new outbound rules…

image
image1122×75 8.64 KB

The first outbound rule was setup before the pfsense “change”, i can successfully access any pc on the remote 192.168.23.0/24 network from within the local network

The second outbound rule was setup as per the advise in the closed issue 14987… but i still cannot access either the 192.168.30.0/24 network or the tailscale ip itself 100.80.x.x from any of the lan pc’s?

Any ideas what I’m doing wrong plz?

Harry

2

I only have the one outbound rule on CE and it works.

I can access any device by its LAN IP address from anywhere.

Screenshot 2024-07-03 at 11.32.04 AM
Screenshot 2024-07-03 at 11.32.04 AM2284×722 66.7 KB

I followed the tutorial from CM

3

Hi was that outbound rule created recently?

Apparently a change was made a few months ago after the last CE update (techy details in that netgate regression link), resulting in a error message when you try to save the outbound rule on following that procedure from 2022

ps just saw ur rule… mine is different, it allows me to access any pc on a remote tailscale network (subnet routing enabled on the remote tailscale device) from within my pfsense lan network… i use this to support my customers seamlessly from within my network and monitor the remote network using tools hosted locally

4

No. I had it configured before the CE update that introduced the bug. I used CM’s tutorial video.

Not sure if hand editing the XML file would accomplish the same result.

		<outbound>
			<mode>hybrid</mode>
			<rule>
				<source>
					<network>192.168.69.0/24</network>
				</source>
				<sourceport></sourceport>
				<descr></descr>
				<target>Tailscaleip</target>
				<interface>Tailscale</interface>
				<poolopts></poolopts>
				<source_hash_key></source_hash_key>
				<destination>
					<any></any>
				</destination>
				<created>
					<time>1687359440</time>
					<username><![CDATA[admin@192.168.69.31 (Local Database)]]></username>
				</created>
				<updated>
					<time>1687359465</time>
					<username><![CDATA[admin@192.168.69.31 (Local Database)]]></username>
				</updated>
				<target_subnet></target_subnet>
			</rule>
		</outbound>
5

argh perfect! never thought of manually editing the xml to copy/paste/edit one of the existing rules :slight_smile:

i currently have around a dozen outbound rules to different cusotmer networks, hopefully the xml editing should work as pfsense support view it as a “cosmetic front end” change, not a bug… its why they closed the “issue” in that netgate link

thanks

6

Make sure to use an editor like BBEdit (or web based XML checker) to catch XML formatting errors.

7

k (i usually use notepad++)