Hey guys, so I’ve been self hosting for 2 years, making small upgrades until I reached this point where I replaced my router with one of those Chinese fanless firewalls running Intel n150 and running a proxmox homelab.
I am self hosting headscale with many of my buddies connected, including ny own services. Everything was working great until I setup OPNsense.
The firewall was not easy to setup, but after I set it up, I discovered odd behaviors from tailscale.
The firewall was blocking all connections from the ip 100.60.0.0/24, I had to explicitly allow it and change the forewall state to hybrid
What happens is that my LXC containers running tailscale would receive requests from tailscale0 interface but respond via LAN.
Apparently as I understood, consumer routers have assymetric NAT so that works fine, but not with opnsense.
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
For now temporarily I set an ip route to tailscale0 and resolved it that way temporarily, but I still cannot get a solution that can help without compromising the firewall.
It’s also very cumbersome to do this for 50+ LXC containers over and over, even with running systemd scripts a problem might happen in the future
If you guys have any experience with this it would help a lot.
You must log in or # to comment.
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
Opnsense is not my forte, but I do run it’s counterpart pFsense. I use Tailscale as an overlay VPN on both the server and on my standalone pfsense firewall as a pFsense package. Is there a reason you don’t want Opnsense firewall via tailscale? My set up is as follows:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
It doesn’t make sense to me to expose it to the tailnet even with ACL, on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.
But what exactly do I benefit from adding the firewall directly part of the tailnet? It’s kinda weird when you think about it, this bad boy is the highest tier device where internet comes from and having it to connect to my homelab that depends on it for internet and having the firewall depend on the homelab for tailscale
No experience with tailscale, but I have opnSense on a firewall appliance like yours and run two wireguard networks one from the opn itself and one from my home server, which is in the DMZ. They all work just fine…
They have different scope and remote peers, but both use my VPS as enter gateway since I am CGNATted.
