A Tailscale Package for pfSense!

Поделиться
HTML-код
  • Опубликовано: 25 ноя 2024

Комментарии • 104

  • @sgtpepperaut
    @sgtpepperaut 2 года назад +4

    connecting 3 sites with OPENVPN took a couple of days of trial and error, a couple of minutes with this package! thank you

  • @adimw
    @adimw 2 года назад +4

    I was skimming and almost missed the Outbound NAT rule at 27:30 . Working now in a lab, THANKYOU!

  • @JustinAndrusk
    @JustinAndrusk 2 года назад +10

    This was an excellent walk-through. Just started looking into Tailscale and how I could dive deeper into it to better understand it's inner workings and this was a definite help with that.

  • @Jpeg6
    @Jpeg6 2 года назад +4

    As usual great work. Looking forward to the release.

  • @panthrosrevenge
    @panthrosrevenge Год назад

    Thanks for this video! The outbound NAT rule was what I was missing to get my site-to-site configuration working well

  • @tornadotj2059
    @tornadotj2059 2 года назад +2

    Thank you for doing this. Super easy to set up, and works perfectly.

  • @GrishTech
    @GrishTech Год назад

    Thank you for your contributions. Everything is working and scales very well.

  • @Ginita12
    @Ginita12 2 месяца назад

    we missed you and your videos.

  • @BinaryHackerMan
    @BinaryHackerMan 2 года назад

    Thank you SO much for this package and guide, it was enough for me to get the subnet routing to work.

  • @gdewey1
    @gdewey1 Год назад

    Excellent work Chris!! loved your material and detail on the explanation

  • @ilovingit77
    @ilovingit77 2 года назад

    Thank you very much for this video. I already use tailscale on my unraid server and other machines and devices. Now I have it installed on my pfsense router! It works great. Great tutorial!

  • @nickharvey5149
    @nickharvey5149 Год назад

    Fantastic - you are a natural!

  • @MikeReprogle
    @MikeReprogle 2 года назад

    Awesome, I will be refreshing that package every day. Your config video for Wireguard with Mullvad got me working with Windscribe, but have been looking to get a site to site VPN set up, and this is going to be what I try!

  • @krenkotv3240
    @krenkotv3240 2 года назад +1

    Cannot wait to drop my Linux VM's I use for subnet routers and implement this on my edge Pfsense! Thanks for the hard work! I may check out Headscale as well.. Tailscale keeps yelling at me for not paying even though i'm using multiple subnet routers lol

  • @TheMongolPrime
    @TheMongolPrime 2 года назад +3

    Awesome job! I loved the video, and really appreciate the walkthrough. You're a great guide. One thing I would recommend updating (maybe I missed this) is that you have to accept the routes being advertised on the tailscale machines page. Other wise the advertising won't work just through saving it in pfsense.

  • @donraymond8933
    @donraymond8933 2 года назад +6

    Thanks for your great work Christian. I really appreciate the technical accuracy and clarity of your description, espcially for a (moderately) knowledgable networking person such as myself. One quick question - if one has beefy hardware (eg an SG5100 for home use), will that overcome the inefficiency of the tailscale userspace wireguard implementation?

  • @JPEaglesandKatz
    @JPEaglesandKatz 2 года назад

    You sir are amazing!!! thanks a lot for these awesome features!! Been testing tailscale a bit and it looks very promising!

  • @BillyDickson
    @BillyDickson 2 года назад +1

    Using your Wireguard implementation in my pfsense homelab setup, works great! I can now manage my home network via my phone.
    Thanks for all your hard work, much appreciated.

  • @John-zs5nw
    @John-zs5nw 4 месяца назад +1

    How do I get the tailscale address option for the NAT address?

  • @arthurwiebe5508
    @arthurwiebe5508 2 года назад

    This is really nice. I've built my own WireGuard mesh network for centrally managing a few hundred pfSense installs, I can see Tailscale being great for smaller teams where rolling your own solution doesn't make sense.

  • @J-D248
    @J-D248 2 года назад

    Awesome video!! Thank you!

  • @tooslownotfast
    @tooslownotfast 2 года назад

    Thank you for your work

  • @radupopa6642
    @radupopa6642 2 года назад

    Great work and good explanations!

  • @gromit_2959
    @gromit_2959 2 года назад

    Thanks for your most awesome content, would love for you to make a episode on how to setup DNS/Acme/HAproxy and SSL for "Homelabs" and SMBs

  • @qcnsllcqcnsupport7616
    @qcnsllcqcnsupport7616 2 года назад

    Great video,... i can't wait to try it 🙏

  • @jocelyn-n-tech
    @jocelyn-n-tech 5 месяцев назад

    why did you stop making videos??? this one was excellent!

  • @gdewey1
    @gdewey1 Год назад +2

    seems like on pfsense new version (23.09) you cannot assign NAT translation to Tailscale IP / 32. anyone experience this or am I missing something. I was able to follow instructions with out a problem on the last version

    • @Jooohn64
      @Jooohn64 Год назад

      same for me :(

    • @8095945088
      @8095945088 11 месяцев назад

      did you find any solution for this issue?

    • @gdewey1
      @gdewey1 11 месяцев назад +1

      @@8095945088 I reported this to netgate and they admit is was abug that was going to be cover in the next release. the solution is to manually add the 100.x.x tailscale IP /32 to the fields.
      They released a new update and now it shows tailscale networks but its wrong, I still need to use a direct (hardcoded) value in the field. hope this helps.

    • @Shabba-k2x
      @Shabba-k2x 4 месяца назад

      Stumbled across a thread on netgate forums , for the latest version you only need to create a wan rule for udp destination port 41641, for any source and any destination (could play about with exact addresses if you want to make more secure). This allowed all my clients roaming to have a direct connection to my home network, especially my jellyfin server for on the go streaming.

  • @Dxun2
    @Dxun2 2 года назад

    Thanks for this great walkthrough, Christian!
    You might want to blur your email address in Routing Limitations video segment, though.

  • @sagarsriva
    @sagarsriva Год назад

    great video!

  • @im.thatoneguy
    @im.thatoneguy 2 года назад +2

    A secondary goal of this effort to debug Tailscale's UPnP\Nat-PCP compatibility with pfSense would also be welcome. It seems to work great at home on my Ubiquiti ER-X but our work machines behind PFsense don't seem to be able to request open ports. Other apps like Parsec have no trouble requesting open ports.

    • @ChristianMcDonald
      @ChristianMcDonald  2 года назад

      tailscale.com/kb/1146/pfsense/ ?

    • @im.thatoneguy
      @im.thatoneguy 2 года назад

      @@ChristianMcDonald yeah, we have both enabled but Windows machines inside our network don't seem to succeed in requesting a hole.

  • @StefanWeichinger
    @StefanWeichinger 11 месяцев назад +1

    Is the Outbound NAT rule still necessary or maybe set under the hood by the package already? testing this in dec-2023 and I can't even choose "Tailscale address" as NAT interface in a new Outbound NAT rule. Trying to route to a subnet connected via IPSEC ...

    • @8095945088
      @8095945088 11 месяцев назад +4

      Use network or alias and put the tailscale ip address 100.xx.xx.xx it should work fine.

  • @satdevlpr
    @satdevlpr 2 года назад

    Great video please keep it up..

  • @JohnFilion
    @JohnFilion 3 месяца назад

    Thanks for putting this video together. Is it still necessary to create the outbound NAT rules? I tried setting this up, and I can't specify "Tailscale address" for the NAT Address. Has the procedure changed, or did I do something wrong?

  • @scottc2211
    @scottc2211 2 года назад +1

    Greatly appreciate all your work and effort on such a excellent product - absolutely love pfSense. Following your information I was able to setup Tailscale with the greatest of ease. One question comes to mind - Will there eventually be a Tailscale widget for the home screen like the other options available? Again thank you and greatly appreciate your time.

  • @hjaltioj
    @hjaltioj 2 года назад

    Nice. :D Thank you for the good work :D

  • @rjmunt
    @rjmunt 2 года назад +1

    I added the NAT Outbound rules for tailscale on my networks. However my phone still cannot establish a direct connection (only relayed). Is the only option to enable NAT-PMP ? Are there any drawbacks to that ?

  • @MrChris79
    @MrChris79 2 года назад +1

    NICE. Iv been waiting for a reason to jump on the Tailscale bandwagon!

    • @l0gic23
      @l0gic23 2 года назад +2

      All you had to do was listen to an ad on one of the Jupiter broadcasting podcasts... Their real examples were all the motivation I needed

  • @ryanroberts210
    @ryanroberts210 2 года назад +2

    I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx

    • @amirabbasmaleki83
      @amirabbasmaleki83 2 года назад

      AS Ryan said , Is there any way to be able to advertise one Pfsense as exit node and route other sites clients and lan devices to use this tunnel as gateway???

  • @dave.gallant
    @dave.gallant 2 года назад

    Thanks!

  • @vlaktorbb
    @vlaktorbb 9 месяцев назад +1

    Thanks for this awesome indepth video. But how can you ping devices on the tailscale network from behind the pfSense? I tried to setup a outbound NAT rule but the nat alias is missing. I've tried to setup it via an network alias, but this isn't working sadly. Seems this part is broken in the latest 23.09.1 update.

    • @RafedwinAbreu
      @RafedwinAbreu 9 месяцев назад +1

      Use network or alias and put the tailscale ip address 100.xx.xx.xx it should work fine.

  • @GrishTech
    @GrishTech Год назад

    14:18 - I have a question about this listening port. For some reasons external devices that are behind their own NAT that can't be punched through fail to establish a direct connection with the pfsense firewall, even if I have an allow rule in WAN. However, any devices behind the pfsense firewall can establish a direct connection for inbound attempts. What gives that the pfsense firewall itself is not able to receive inbound direct connection attempts? I tried static port via manual NAT rules, upnp, etc.

  • @davidg4512
    @davidg4512 Год назад

    So, it appears the when you do source nat for tailscale, ACL's don't work properly. Destination NAT at the final pfsense tailscale node appears to work. Does ACL get checked by every tailscale node or only those that advertise the route?

  • @tasi
    @tasi 2 года назад

    Great job Christian, thanks for this update

  • @avecruxspesunica2552
    @avecruxspesunica2552 2 года назад +1

    Trying out Tailscale... I have a SiteA(pfSense)-to-SiteB(pfSense) with both using Tailscale. I have SiteA set as 'Exit Node'. How do I force SiteB to use SiteA as 'Exit Node'?

    • @user-fw6eg3hc8f
      @user-fw6eg3hc8f Год назад

      I think from the pfSense Tailscale settings select Advertise Exit Node

  • @PedroMorenoBOS
    @PedroMorenoBOS Год назад

    Excellent teacher, I will follow this service, went u plan to enable the firewall to let us apply rules on the interface? thanks.

  • @ElvisImpersonator
    @ElvisImpersonator Год назад

    Excellent tutorial! Had site to site (one site behind double NAT) Tailscale up and running in 30 minutes. Any chance multicast (aka. Bonjour) can be advertised across Tailnet to allow automatic discovery? Maybe with rules or IGMP proxy in pfSense?

  • @marktomlinson6922
    @marktomlinson6922 Год назад

    great explanation, I have one question for yourself or anyone else reading this, so in this site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router

  • @radupopa6642
    @radupopa6642 Год назад

    A regular tailscale node can be configured to use another exit node, if that other node was approved to act as an exit node for the tailscale network.
    Is there a way to configure the pfSense tailscale node to use an existing exit node? I could not figure this out...

  • @joeychou8627
    @joeychou8627 2 года назад

    Great video, do you have a plan to make a similar introduction and deep dive for the ZeroTier package on pfSense?

  • @joelc1328
    @joelc1328 2 года назад

    @Christian, I have a use case where I'm trying to block one port from a PC but allow everything else to traverse the tailscale VPN. I think I have to do this through ACL but I have read the documentation and still can't figure it out. Any help would be appreciated!

  • @petergplus6667
    @petergplus6667 2 года назад +3

    I wasn't able to establish functioning WireGuard connections with pfsense. I use ipsec of my routers for now. Am I correct that tailscale an easier implemention of WireGuard so I can retry?

    • @igorkholobayev7779
      @igorkholobayev7779 2 года назад +1

      My wire guard I running great. Let me know if you need help.

  • @PowerUsr1
    @PowerUsr1 2 года назад

    Any plans coming down to control tailscale access using PF firewall rules. As "fun" as it is to write .JSON its clearly easier to maintain using the firewall

  • @PeterNordin
    @PeterNordin 8 месяцев назад +1

    Maybe I'm stupid or I miss somethinh essential.
    When I try to set up the Hybrid Outbound NAT I stumble on some problem.
    I set Interface to Tailscale as you showed, I set Source to Network or Alias and insert the subnet of my LAN interface
    Then down at Translation when I try to set Address to Tailscale address I can't find it in the dropdown list. I first thought you made an alias, but I see a space.
    Why can't I see the Tailscale Address under Translation Address?

    • @nathansalt5765
      @nathansalt5765 8 месяцев назад

      I have the same problem. Under routes the Tailscale subnets show up there but the gateway is listed as link# and not tailscale. So there is no tailscale gateway to point to

    • @RafedwinAbreu
      @RafedwinAbreu 8 месяцев назад

      Use network or alias and put the tailscale ip address 100.xx.xx.xx it should work fine.

    • @PeterNordin
      @PeterNordin 8 месяцев назад +1

      @@RafedwinAbreu thanks, and what subnetmask to us /24 /32

  • @TradersTradingEdge
    @TradersTradingEdge 2 года назад

    Thanks Christian, great explanation.
    Is there a way I can route TS traffic through HA-Proxy? WAN > TS > HA-Proxy > MyService
    Is that possible?

  • @neosmith80
    @neosmith80 2 года назад

    great video... just need to up the audio! :)

  • @networkadminbr
    @networkadminbr 2 года назад

    Hi Christian, do you have some material about wireguard+ospf, cause i know that wireguard cant use multicast, how can i solve this? thank u

  • @sebastianpulver3604
    @sebastianpulver3604 2 года назад

    is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?

  • @kingrafe
    @kingrafe Год назад

    I cannot get my subnets to show. I think I am missing a firewall rule or settings that allows you to see the subnet

  • @phattunit
    @phattunit Год назад

    Tailscale is ❤

  • @rudypieplenbosch6752
    @rudypieplenbosch6752 2 года назад

    Would be great if something simular can be done for Zerotier, so I don't need to spin up a VM for it.

  • @danroberts2055
    @danroberts2055 7 месяцев назад

    i'm at my wits end. I have two pfsense devices 1. PFSense Plus behind StarLink and 2. PFSense CE behind T-Mobile. I have tailscale running on both with nat rules on both and I can get from the Tmobile device to the StarLink device but I can't get from the StarLink device to the TMobile device. both show routes correctly in pfsense and both ping using tailscale ping but when I tried to reach the Tmobile router from the StarLink Router I get nothing. HELP! I have scanned the web and watched every YT video I can... don't know what's happening. ... only thing I can think is starlink is a 100. network....$ This doesn't happen if i'm on a phone using tailscale and try to get to either. I can get to both via my phone just not from the starlink device to the tmobile device.

  • @visghost
    @visghost 2 года назад

    it was also cool if pfsense had a gpon setup function, I so dream of removing the provider's wi-fi router so that I can do without a router and connect the optics directly to pfsense

  • @diogernesoliveira5309
    @diogernesoliveira5309 Год назад

    Como cria site to site no pfsense pelo teilscale?

  • @crazyvanilla03
    @crazyvanilla03 Месяц назад

    Why am I not getting Tailscale as translation address?

  • @MrCWoodhouse
    @MrCWoodhouse Год назад

    I found a strange bug. I struggled for hours. Why won't it work? In the Advertised Routes section, I had a blank line below the route I wanted. Once I deleted the blank line it worked just fine! Maybe when you parse the dialog box it creates wrong json if there is a blank line.

  • @jp_baril
    @jp_baril 2 года назад +1

    Hi, PfSense (and networking) newbie here.
    Having Tailscale installed on PfSense, from PfSense machine itself I can ping a remote device by its Tailscale IP.
    Now, how can my LAN devices behind my PfSense router also ping that remote Tailscale IP ?
    Thank you.

    • @BinaryHackerMan
      @BinaryHackerMan 2 года назад

      you have to enable subnets from the tailscale control center

    • @nathansalt5765
      @nathansalt5765 8 месяцев назад

      I've got the same problem. Using ping in pfsense I can ping my remote tailscale address and the devices on its subnet. Its not getting passed locally through pfsense unfortunately

    • @jp_baril
      @jp_baril 8 месяцев назад

      Actually the answer was in the video. It's the outbound NAT (@28:30)

    • @nathansalt5765
      @nathansalt5765 8 месяцев назад

      @@jp_baril yeah I did that but it still didn't work

  • @GrishTech
    @GrishTech Год назад

    Would be great in the future if Tailscale wireguard for bsd can allow source nat to be disabled, just as we can in Linux with --snat-subnet-routes=false

    • @GrishTech
      @GrishTech Год назад

      I understand the userspace limitations. The performance none the less is acceptable.

  • @Simonthadude
    @Simonthadude 2 года назад

    Tack!

  • @4Covenant
    @4Covenant Год назад

    You can do the same scheme but with a third site.
    greetings

  • @anand-nb4bb
    @anand-nb4bb Месяц назад

    Hi Bro can you please make a detailed step by step video on configuring Pfsense OpenVPN with split tunneling & configure Ubuntu as a VPN client. Please, it's a request. Kindly reply
    Thanks & regards,

  • @kevinlindashaw957
    @kevinlindashaw957 2 года назад

    Solved!! ... Wrong start up command for the linux machine ... should use "sudo tailscale up --accept-routes" not "sudo tailscale up" ...
    How to ping the computers behind the pfsense box?
    I have tailscale running on my pfsense box with subnets enabled in the control server and there are computers behind the pfsense box. I have tailscale running on my linux machine in another location (has its' own tailscale IP). The computers behind the pfsense box can ping the tailscale IP of the linux machine. The linux machine can ping the tailscale IP of the pfsense box (I can even sign into the pfsense box from the linux machine) but how do I get the linux machine to access any of the computers behind the pfsense box??

  • @AJ-FL
    @AJ-FL Год назад

    PLEASE PLEASE PLEASE 🙏 Can we finally have MultiWAN FAILBACK AS I HAVE over 12 accounts running EDGEROUTER appliances which failback works flawlessly when having metered LTE WAN Connections 🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏🙏
    These clients have requested more powerful m/capable hardware and PFSENSE would be the perfect solution if it had failback function for multi-WAN 🙏🙏🙏🙏

  • @PowerUsr1
    @PowerUsr1 2 года назад +2

    How does this compare to ZeroTier?

    • @PowerUsr1
      @PowerUsr1 2 года назад

      @StevenTheElder why would they hate it? It’s similar tech

    • @jimthompson971
      @jimthompson971 2 года назад +1

      @StevenTheElder I wouldn't say we "hate it". That's not true. But someone has to do the work, and someone has to maintain it.

  • @GpconnectInfohotspot
    @GpconnectInfohotspot 2 года назад

    why don't we have an api to create voucher for the captival portal on the fly ?

  • @raul230285
    @raul230285 2 года назад

    Probed Nebula VPN

  • @dotnetfx40i93
    @dotnetfx40i93 6 месяцев назад

    why pfsense will not control traffic tailscale...WTF, i should trust to tailscale .....by fact i will not trust, and by that reason rules on tailscale admin panel will not help me to trust 22:00

  • @PowerUsr1
    @PowerUsr1 Год назад

    Its been a couple of months trying TS and its really so unimpressive from a scalability perspective. The documentation is Ok-ish when it comes time to implement ACLs but the whole point of this level of control on a firewall is to have the Firewall control access through rules and have some auditing of what is hitting those rules. All pfsense is doing here is just a router. No firewall rules. No restrictions.
    This just isnt ready for an enteprise IMO. Keep it in the home lab or maybe a small business where traffic control isnt needed. Hard pass.