Hi, first of all I would like to thanks the devs for an outstanding FOSS product. I have installed the latest version of OPNsense and have my setup with the new Tailscale plugin completed. Most of everything work as I intended.
There is one minor problem I would like to ask. In the attachment is the one and only firewall rule on my tailscale interface.
With this rule:
-Normal tailscale function works: a tailscaled client can access a service on one subnet through OPNsense (subnet advertised, the VM hosting that service itself is not exposed directly to tailscale)
-However the client cannot connect to OPNsense management Web GUI with OPNsense tailscale IP. (Doubled checked, tailscale interface is listed on System: Settings: Administration: Listening interface)
*If I change the "source" part of this rule to "any" instead of "TLSC net" then client can access OPNsense Web GUI.
My question is, as per my understanding, in this particular case source "any" or "TLSC net" should have the same result? Or am I missing something?
It looks like the tailscale 'network' alias is a single IP on IPv4 - confirmed from Firewall > Diagnostics > Aliases and also ifconfig showing a netmask of 0xffffffff.
'any' should be safe as there should only be trusted traffic on the tailnet but you'd have to use 100.64.0.0/10 if you wanted to lock it down to tailscale IPs. Seems like for IPv6 the interface does have a /48 mask so you'd only see this problem for IPv4.