Tailscale Bypasses Firewall Rules

Started by hoshimachi, December 27, 2024, 01:30:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 27, 2024, 01:30:43 PM Last Edit: December 27, 2024, 06:22:47 PM by hoshimachi Reason: bad title, additional info, added images
Versions
OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15
os-tailscale 1.0

Using both zemarmor's tutorial and miniksa's comment re. outbound NAT, I have been able to successfully setup tailscale on OPNsense, allowing my LAN subnet to access nodes/services behind an external tailscale node advertising routes, and other devices on the tailnet can access these nodes/services. Tailscale setup is very basic at the moment (only providing relevant information to setup):

OPNsense advertises routes to 10.128.20.0/24
OPNsense has interface 10.128.20.1, called DMZ
RPi node at remote location advertises routes to 192.168.128.0/24
RPi node has IP of 192.168.128.5

Outbound traffic is being filtered based on my own defined ACLs, however, the firewall setup instructions on the zenarmor tutorial does not affect inbound traffic whatsoever. Firewall logs only show traffic from 10.128.20.1 to nodes within the subnet, which are allowed by default ("let out anything from firewall host itself"). This is applicable for both devices within the 192.168.128.0/24 subnet, and for other tailnet devices.
What am I missing here, and how can I prevent this? I still want to be able to define ACLs for this traffic, without relying solely on tailscales ACL system. It seems that it is skipping the ACL entirely for the assigned interface for TAILSCALE and jumping straight to the DMZ's interface.


March 02, 2025, 12:24:30 PM #1
Have you ever found a solution, my exit node seems to ignore all firewall rules.
Print
Go Up Pages1
User actions