I have opnsense set as an exit node and I'm advertising my local network on the tailnet. I'm using opnsense as my DNS server with unbound. I'm advertising my opnsense IP as a DNS server to the tailnet.
If I'm not using tailscale as an exit node, my tailscale clients are able to use the opnsense DNS without issue. However if I set opnsense as an exit node, DNS fails. I can still route to things on the local network and the internet via IP, but not DNS running on opnsense. I've created another DNS server on my local network and I can use that one without issue, but I'd really like to use unbound on opnsense.
I'm guessing maybe I'm missing a rule in opnsense?
rule.PNG
routes.PNG
stateviolation.PNG
Since the request is coming from the internet, I would have to enable DNS to the global internet? That doesn't sound right ... or safe.
Even though I have the local subnet advertised it's almost like it can't reach that subnet when using the exit node, even thought I can ping things in that subnet.
When I ping the source shows as 127.0.0.1, but when I try to access DNS the source shows as my external IP.