Pfsense, Tailscale, Apple TV

jeff3820 · February 25, 2024, 4:08pm

My network firewall is Pfsense. My goal is to allow NAS access located at 192.168.150.200 from a cell phone when I’m not at home. A tailscale app for Apple TV has been released with the capability to act as an exit node and to do subnet routing. I already have a tailnet so I setup the apple TV and configured it as an exit node. I can browse the internet remotely and the internet on my phone is showing my home IP address so the exit node is working. I also setup the apple TV, currently on 192.168.150.145, to subnet route to 192.168.150.0/24. I approved the route in Tailscale under machines and the route appears to be active.

However, I cannot ping or reach any device on the 192.168.150.x network. If I change the advertised subnet route on the apple TV, I first delete the 192.168.150.0/24, to 192.168.150.200/32, approve in Tailscale, then I can remotely reach the NAS! In fact any IP address on the home network can be advertised and reached if I put in the specific IP address with a /32 subnet. So why won’t this work when I use 192.168.150.0/24?? From reading on the web, folks feel this is related to Pfsense. I tried using NAT-PMP on Pfsense but that didn’t work. This is really frustrating.

Also, while the specific IP addresses can be reached and made functional by using /32 remotely, ping does not work. Ideas why pings fail? Is this by design with tailscale?

elvisimprsntr · February 25, 2024, 5:02pm

Why not simply install TailScale on pfSense instead?

jeff3820 · February 25, 2024, 7:56pm

I have done that and have the same issue…unable to route to /24 networks but successfully to any /32 IP address. Just trying to understand why 192.168.150.0/24 fails in Tailscale.

Christian MacDonald wrote his article as a from Pfsense to Pfsense…I’m from cell phone to Pfsense/Apple TV.

dkggpeters · February 26, 2024, 12:03am

Not sure where you are getting info with Tailscale issues on PFSense. I can Ping my devices on vlans using /24 routes. You have a configuration issue elsewhere.

jeff3820 · February 26, 2024, 12:44am

I know…but no idea at this point

dkggpeters · February 26, 2024, 1:09am

Does ping work with setup as /32? If not, you may have pings blocked in the firewall.

fleegle61 · February 26, 2024, 1:52am

I have to assume that in tailscale (website) you can see pfsense and have set it up to allow a subnet with 192.168.150.0/24. If so, if you have tailscale on your phone active, you have the tailnet connection and anything 192.168.150 should go through tailscale, it sees who allows that subnet and the pfsense ships it to your LAN port. I have no problem doing it that way

jeff3820 · February 26, 2024, 2:16am

Ping works in the LAN without tailscale. If I try to ping 192.168.150.200 (the NAS) thru tailscale it fails. However, TCP connection works if I use 192.168.150.200/32. It fails if I use 192.168.150.0/24. Ping with tailscale works if I ping the tailscale 100.x.x.x address for the NAS.

Bizarre. FYI, I have no any rule in pfsense for the tailscale interface…according to Tom’s configuration video, this is correct.