Pfsense, Tailscale, Apple TV

My network firewall is Pfsense. My goal is to allow NAS access located at from a cell phone when I’m not at home. A tailscale app for Apple TV has been released with the capability to act as an exit node and to do subnet routing. I already have a tailnet so I setup the apple TV and configured it as an exit node. I can browse the internet remotely and the internet on my phone is showing my home IP address so the exit node is working. I also setup the apple TV, currently on, to subnet route to I approved the route in Tailscale under machines and the route appears to be active.

However, I cannot ping or reach any device on the 192.168.150.x network. If I change the advertised subnet route on the apple TV, I first delete the, to, approve in Tailscale, then I can remotely reach the NAS! In fact any IP address on the home network can be advertised and reached if I put in the specific IP address with a /32 subnet. So why won’t this work when I use From reading on the web, folks feel this is related to Pfsense. I tried using NAT-PMP on Pfsense but that didn’t work. This is really frustrating.

Also, while the specific IP addresses can be reached and made functional by using /32 remotely, ping does not work. Ideas why pings fail? Is this by design with tailscale?

Why not simply install TailScale on pfSense instead?

I have done that and have the same issue…unable to route to /24 networks but successfully to any /32 IP address. Just trying to understand why fails in Tailscale.

Christian MacDonald wrote his article as a from Pfsense to Pfsense…I’m from cell phone to Pfsense/Apple TV.

Not sure where you are getting info with Tailscale issues on PFSense. I can Ping my devices on vlans using /24 routes. You have a configuration issue elsewhere.

I know…but no idea at this point

Does ping work with setup as /32? If not, you may have pings blocked in the firewall.

I have to assume that in tailscale (website) you can see pfsense and have set it up to allow a subnet with If so, if you have tailscale on your phone active, you have the tailnet connection and anything 192.168.150 should go through tailscale, it sees who allows that subnet and the pfsense ships it to your LAN port. I have no problem doing it that way

Ping works in the LAN without tailscale. If I try to ping (the NAS) thru tailscale it fails. However, TCP connection works if I use It fails if I use Ping with tailscale works if I ping the tailscale 100.x.x.x address for the NAS.

Bizarre. FYI, I have no any rule in pfsense for the tailscale interface…according to Tom’s configuration video, this is correct.