Messages

[Make sure to enable subnet route as well for the internal LAN]

Thanks for the suggestion, will look into tunnels as a redundancy

Managed to configure routes correctly and now can access my LAN resources  from outside
For noobs like myself the reference:
I used this video as a main guide: https://www.youtube.com/watch?v=u_6Zd7Bo6J4

1. Install Headscale on a VPS (I used Oracle Free tier VPS, as suggested in video, AWS free also can be used)
2. Install Tailscale client on OPNsense: https://tailscale.com/kb/1097/install-opnsense
3. Add client to Headscale server (refer the video and KB article above)
4. Advertise exit node on OPNSene (refer to video and  https://tailscale.com/kb/1103/exit-nodes)
5. Advertise routes on OPNSense https://tailscale.com/kb/1019/subnets (there is no direct link for OPNsense, or FreeBSD, but you can use linux command, you need to use combined command including login server, exit node and route, but if you only advertise route, CLI will suggest full command including all above)
6. Make sure to enable subnet route as well for the internal LAN

Code Select Expand

sudo headscale routes enable -r ROUTE ID
Route ID can be found using

Code Select Expand

sudo headscale routes list command on your VPS

Optional: install Headscale Web UI on VPS if you prefer it to CLI (there are several options on Github, or use following video tutorial: https://youtu.be/OKwrfmMoAk0?t=1750 for this one: https://github.com/iFargle/headscale-webui)

as you alreaday found out there are many articales and videos about implementing such tunnel.
Important for pfSense/OPNsense is still the opening of the tunnel for needed port 80/443 to let traffic in which can be forgotten for normal routing usage.

Did you allso found this direct configuration guide?
https://tailscale.com/kb/1097/install-opnsense

Unfortunately since I am behind carrier grade NAT, I can not port forward,
otherwise I do have OpenVPN installed on homeserver and was working fine (with lan access) with previous ISP (which was giving "true" IPv4 addresses)


Thanks, I found that article, but after closer reading a I understand I found KB link there for  subnet routing: https://tailscale.com/kb/1019/subnets

Since I am using Headscale on VPS (which I configured acording to this guide https://www.youtube.com/watch?v=u_6Zd7Bo6J4) I need to adjust settings there, since I am already advartising OPNSense subnet

I found out this thread, where author says that has access to LAN through OPNsense fw via tailnet
https://forum.opnsense.org/index.php?topic=35464.0
I tried to run similar command to advertise my LAN route

Code Select Expand

tailscale up --advertise-routes=192.168.2.0/24 --advertise-exit-node --accept-dns=false --accept-routes
Also, I found this video, but unfortunately on pfsense, difference is large enough so I can not configure my OPNSense https://www.youtube.com/watch?v=P-q-8R67OPY

As I understand I just need one simple step to achieve my goal (being able to access lan through tailnet) but unfortunately I am not knowledgeable enough to figure it out

Hello,

My new ISP has CG-NAT, so I can not use port forwarding,

I configured Zerotier on my OPNSense firewall and home server, so I can connect to them directly (10.X.X.X/24 network)

I also configured Headscale server on Oracle Free Cloud VPS and installed tailscale client on Opnsense firewall and configured it as exit node, so I can route all my tailscale client traffic through it, (100.X.X.X/24 network)

Only thing I have left is, to have full access to my home lan (192.168.2.X/24 network) not only to my firewall/home server, but to other devices, where I can not/do not want to install Zerotier or Tailscale client (for example network video recorder).

So is it possible to rout/translate IP traffic from [Tailscale] or [Zerotier] interface through my internal [LAN] and assign static or DHCP internal LAN ip?
for example, my laptop has zerotier ip 10.151.16.2, it can connect to Firewall 10.151.16.3 and homeserver 10.151.16.4 but not to network video recorder which has static LAN address 192.168.2.2
and similarly my laptop has tailscale ip: 100.1.1.2 can connect to firewall 100.1.1.3, I can even turn firewall to exit node, but I still can not access internal LAN,

I guess there can be a firewall rule, to take IP from one interface [Zerotier] or [Tailscale]and add it to [LAN] interface as static or DHCP? so when I connect to zerotier or tailscale, I am assigned internal LAN IP as well? not just a point to point and/or exit node connection?

[!]

I noticed ! but thought it was a typo  ;D
Thanks!
now both are available in lan and I checked internet connectivity of my TV and it says that it is connected to router but not to the internet
Thanks again

you could create a firewall rule in the LAN interface where these devices are.
action: reject
direction: in
quick: yes
Source: alias for your device
port destination: ! LAN net
Needs to go before the default "allow lan to any"
The devices in the same network will go via the switch, not going via OPN unless it's the gateway for the VLANs, so you can still get to them.

you could create a firewall rule in the LAN interface where these devices are.
action: reject
direction: in
quick: yes
Source: alias for your device
port destination: ! LAN net
Needs to go before the default "allow lan to any"
The devices in the same network will go via the switch, not going via OPN unless it's the gateway for the VLANs, so you can still get to them.

Thank you very much for suggestion!
I created aliases for those 2 devices (via IP) and as you suggested created rule above other lan rules

Problem is, that TV is not seeing my media server (Openmediavault with Mini DLNA server running), when I disabled the rule and restarted the router, it worked again
What am I doing wrong?

Hello,
I am novice in OPNSense and I want to make sure to correctly setup the rules,
My home network architecture is as follows:
Internet -> ISP router -> [OPNSense -WAN-> OPNsense LAN]-> [internal lan 16 port switch]
I have my entire internal network connected through 16 port gigabit PoE switch, so one LAN for everything,
I have 2 wifi AP (connected to 16 port switch) and configured Guest and IoT vlan's (using open WRT)

my problem is, that I want to block my Smart TV and Network Video recorder to access the internet, but they should be accessible inside the LAN,

Previously I was using Linksys EA 6300 (flushed with DD-WRT) router instead of OPNSense and it was easy to block specific MAC's of TV and camera recorder from internet access.

I did not find similar option in OPNsense, I searched the forum, but I do not think that there is a clear solution for my configuration
There is a MAC Address Control under Services/DHCPv4/[LAN] where I can block access of  this devices, using their MAC, but it completely blocks them from accessing LAN, which is not good, I want to be able to connect my TV to media server (inside my LAN) and obviously want to have access to NVR as well,

As I understand, since I am using single physical interface, I can not easily brake it into the VLANs, and do not even want to complicate the network, I just want to block 2 devices manually based on ther MAC or IP or both,

Currently what I did, was to setup static leases for them in DHCP and wrote "none" for their gateway (see images below)
When I go to my smart TV says, that there is an issue connecting to internet (which is good) and I can not access Youtube or other online services on it, but I still can access my media server, but when I see the log files for the Zenarmor, I see that my TV is communicating  (at least it is going through Zenarmor)

Can you suggest how to make sure, that TV and NVR has no internet access for sure?

Thanks in advance