plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Tailscale needs to assign an interface & set firewall rules to allow ICMP on the Tailnet

Open cap10morgan opened this issue 3 months ago • 2 comments

  • [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [X] The title contains the plugin to which this issue belongs

When you install the Tailscale plugin, it does not assign its tailscale0 interface to an OPNsense interface. So there are no firewall rules for it, nor can you add any until it is assigned.

This causes ICMP packets on the Tailnet to be blocked (at least under some circumstances) with no way to easily unblock them until you manually assign an interface and create firewall rules. This broke PMTUD for me, which broke my Tailscale connection because I'm using PPPoE on one end. This creates just enough of an MTU bottleneck that PMTUD is essential for any real traffic to flow.

It would be nice if this stuff came preconfigured with the plugin.

Environment

OPNsense 25.7.3 (amd64)

cap10morgan avatar Sep 18 '25 17:09 cap10morgan

Interface assignment and configuration is not done by the plugin. To add firewall rules you need to assign the interface and add any required rules

sheridans avatar Nov 08 '25 12:11 sheridans

Well, tailscale plugin doesn't provide an interface group that would add a firewall group rule tab for it. Assignment mostly isn't necessary, but without the group there's no way to set policies.

https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/wireguard.inc#L69-L87

fichtner avatar Nov 08 '25 12:11 fichtner