Resolved, see bottom.
I've been using Tailscale for a really really long time, originally with the port, then with the plugin. Worked without any issue, following the directions for rules. That was, until 2 nights ago. I rebooted my VPS, which is a remote tailscale node, as I've done many many times before without issue. I watched the tailscale connection come up...but nothing went through (more details below post-testing). Since then, I've been losing my mind, trying to figure out wtf changed and how to fix it. Please help!
I've reviewed other posts recently about Tailscale issues and the few that seem to match what I'm seeing were abandoned by the person asking, so no resolution was ever mentioned.
Testing info/details:
* Tailscale ACL is (and always has been), set up with ICMP allowed all:all for diagnosing scenarios just like this.
* From Opnsense to the VPS & VPS to Opnsense, pings work fine. I can ping either the host's actual IP or the tailscale IP of the device
* From the VPS side, I can ping anything on the Opnsense network. That tells me the all:all ACL is working as intended and the connection is good.
* From the Opnsense side, ONLY the Opnsense will ping things on the VPS side. It will not route anyone else to it.
* I _do_ have the rules that allow LAN to get to Tailscale. Those have not been changed in more than a year.
* I _do_ have the NAT Outbound rules for Tailscale. Those also have not been changed in more than a year.
* I'm not seeing any dropped/blocked packets in the Opnsense logs at all. Instead, I see the firewall rules passing the traffic without issue (ie, LAN to Tailscale), but the far tailscale devices never receive them. This seems like the NAT Outbound rule issue...but those rules are there and enabled. Unless something changed in how they're supposed to be configured, those are as they've been for a year+.
* Routes are being advertised and are approved on Tailscale (again, not changed in forever)
* The node has not expired.
LAN: 192.168.0.0/24
Opnsense: 192.168.0.1 & 172.0.0.1
Tailscale: 172.0.0.0/24
VPS Tailscale IP: 172.0.0.2
From Opnsense, I can ping 172.0.0.2.
From LAN, I can ping 172.0.0.1, but not 172.0.0.2
From VPS, I can ping 172.0.0.1 and all of 192.168.0.0/24
Anyone got any ideas, before I lose what's left of my hair over this surprise issue?
EDIT: Figured it out. A IoT device was apparently advertising routes that don't exist and killing a lot of the true advertised routes. Gotta go throw an IoT device against the wall a few times now.