Versions
OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15
os-tailscale 1.0
Using both zemarmor (https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-tailscale-on-opnsens)'s tutorial and miniksa's comment re. outbound NAT (https://forum.opnsense.org/index.php?quote=177360;topic=35464), I have been able to successfully setup tailscale on OPNsense, allowing my LAN subnet to access nodes/services behind an external tailscale node advertising routes, and other devices on the tailnet can access these nodes/services. Tailscale setup is very basic at the moment (only providing relevant information to setup):
OPNsense advertises routes to 10.128.20.0/24
OPNsense has interface 10.128.20.1, called DMZ
RPi node at remote location advertises routes to 192.168.128.0/24
RPi node has IP of 192.168.128.5
Outbound traffic is being filtered based on my own defined ACLs, however, the firewall setup instructions on the zenarmor tutorial does not affect inbound traffic whatsoever. Firewall logs only show traffic from 10.128.20.1 to nodes within the subnet, which are allowed by default ("let out anything from firewall host itself"). This is applicable for both devices within the 192.168.128.0/24 subnet, and for other tailnet devices.
What am I missing here, and how can I prevent this? I still want to be able to define ACLs for this traffic, without relying solely on tailscales ACL system. It seems that it is skipping the ACL entirely for the assigned interface for TAILSCALE and jumping straight to the DMZ's interface.
(https://i.ibb.co/vdsBZH3/opsense1.png)
(https://i.ibb.co/XxDmH8V/opnsense2.png)
Have you ever found a solution, my exit node seems to ignore all firewall rules.