I’ve searched and only really found examples of subnet routing that effectively goes the wrong way.
What I want to do is use my Tailnet (Pfsense router) as an exit node for my friend’s remote Unifi Dream Router 7’s clients. So his wireless/wired clients can have their WAN IP show up as my local Pfsense WAN IP. He wants to watch basketball on his TV in a far flung location and use my local router as his exit node for the traffic.
As a bonus, it would be cool to create a separate gateway on his Unifi DR7 such that we could route only traffic on specific VLANs/SSIDs through this connection to my Tailnet.
I hope that makes sense, and I think it oughta be simple enough but apparently my search terms in finding a solution aren’t getting me there. I know barely enough to be dangerous in the networking realm, which apparently makes me an IT expert in his eyes.
I have some Unifi switches and APs but don’t know my way around the router part of things in the Unifi Network interface.
We do have Tailscale successfully installed on his DR7 and it is connected to my Tailnet. It’s the routing/gateway part on his end that we need to work out.
Thanks in advance for any of you smart folks out there that will surely help!
On the pfSense side, in the Tailscale settings, enable “exit node” for your pfSense machine via the Tailscale admin console. In the Tailscale admin console, approve the exit node. Ensure pfSense firewall rules allow Tailscale traffic to NAT out your WAN (should work by default if Tailscale is functioning normally)
On the UDR 7 side (his end), SSH into the Dream router 7. Install the community package: “curl -fsSL https://github.com/SierraSoftworks/tailscale-udm/raw/main/install.sh | sh” Authenticate when prompted and log into your Tailnet. Configure exit node routing: “tailscale up --exit-node= --exit-node-allow-lan-access” Replace with your pfSense node’s Tailscale IP (e.g., 100.x.x.x). The --exit-node-allow-lan-access flag lets his local devices still talk to each other on LAN
To revert (disable exit node routing): "tailscale up --exit-node= "
Warnings: All Dream Router 7 traffic will go through your connection. Your bandwidth and latency will be impacted. If Tailscale disconnects, his internet may break until it reconnects or he reverts it.
After Dream Router 7 firmware updates, re-run the install script to restore Tailscale.
It may be cleaner if you have a separate device on his end to run tail scale. He could run a small Linux VM, container, or even a Raspberry Pi on that VLAN as the gateway. That device runs Tailscale with your exit node and acts as the default gateway for that VLAN. But I have no experience with Unifi products, so I am not sure how you would do the routing.
Thanks for this. We tried commercial VPN but it is blocked by the streaming service so that was a non-starter. We also tried setting up Wireguard between my router and his DR7 but that was complicated and couldn’t seem to get it to work either.
Thing is, we have Tailscale working from remote devices and it shows my local Pf router’s IP address. So my router as an exit node is working. I can also ping his tailnet node (DR7 Tailscale address) from my local network. Everything works except getting traffic in/out of the DR7 when it’s the source. Seems like a gateway routing issue. But I’m not fluent in Unifi-speak either so it’s hard to figure out what to change.
Thanks for this too! Actually, this is exactly what we had done yesterday, to no avail. As I mentioned in my last reply to pjsayers.anotherit, everything seems to work except getting traffic in/out of the DR7. I’m guessing it’s something super simple that I’m overlooking.
Today, we tried messing with it again and still couldn’t get it to work.
Your suggestion of having another device on his end to run Tailscale might be the ticket. I’m guessing it would be easiest with a two port device so one RJ45 port could become a second “WAN” port for the DR7 and the second RJ45 would connect upstream to the switch we are getting “regular” WAN from for the DR7. Maybe a single port RPi could be configured to handle it but that makes my brain hurt. LOL.
But doing it with an external device would theoretically allow us to divert only traffic from a given VLAN that we want the Tailscale VPN traffic to traverse. And in doing so, we would minimize the traffic loading up my router because most of his traffic would go out the “regular” WAN port and off to the interwebs without touching my PF router. Is this the right way to be thinking about it?
Thanks again folks!! We appreciate the help!