Tailscale direct connection

[viktri]

I'm trying to migrate over from pfsense to opnsense and I am trying to get the VPNs to work. Basically what I do is at every router that has a pfsense box, I'll add a parallel opnsense router. Once I am able to connect my opnsense routers together successfully, I can just plug the switches into the opnsense routers.

So I followed a combination of reddit + Tailscale's opnsense guide to get Tailscale working on Site A. I am able to get a direct connection.
NAT

• from reddit: interface: tailscale, source: LAN net, NAT address: tailscale address, static port: no
• from Tailscale docs: interface: WAN, source: LAN net, NAT address: interface address, static port: Yes (do this for ipv4 and ipv6)

Rules
tailscale: pass everything


However, on site B, I was not able to get a direct connection. I did the same as above and I was able to get Tailscale to work but no direct connection. I tried the NAT-PMP and Universal Plug and Play and that did not work. On Site B, pfsense has Tailscale working. I asked the LLMs why Tailscale might work on pfsense but not opnsense and it explained something about opnsense having hard NAT while pfsense has easy NAT. Can anyone explain what I might be doing wrong or if there really is a different in the way that pfsense/opnsense do NAT so that it might be impossible for me to get a direct Tailscale connection?