pfSense Exit Node Direct Connections
-
I have my pfSense box configured as an exit node to replace the mobile IPsec configuration I was using before. There are no Tailscale clients inside my local network. I have several mobile devices that need to connect to the Tailscale exit node when they are away from home.
Everything is working except I can only get direct connections when the mobile devices are on the cellular network. Once they are at a workplace and behind another router they stay stuck in relay mode.
It seems like all the information I find is related to setting up pfSense to make sure that Tailscale clients behind pfSense are able to use NAT-PMP or static NAT rules in order to facilitate direct connections. Are there any rules that need to be setup to make it easier for remote clients to create direct connections to an exit node running directly on pfSense?
-
After a crazy amount of web searching, I ran across this blog: https://blog.pilif.me/2022/07/28/tailscale-on-pfsense/
Creating the WAN rule to allow traffic to port 41641 has allowed all the machines that were previously relayed 100% of the time to connect directly.
If anyone sees anything inherently dangerous about this rule, please let me know. Otherwise, hopefully this will help someone else to have more direct connections to their pfSense exit node / subnet router.