Updated CE 2.8.1 to 1.98.5_1 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.98.5_1.pkg Changelog

For now ive resorted to adding a file under: /usr/local/etc/rc.d/tailscale_fix_group It is called tailscale_fix_group, it ensures tailscale0 is always a member of the 'Tailscale' interface group after pfsense_tailscaled starts. Code in tailscale_fix_group below, you can add it from GUI. Just open edit file and save path: /usr/local/etc/rc.d/tailscale_fix_group Paste the code below and press save. #!/bin/sh . /etc/rc.subr name="tailscale_fix_group" start_cmd="tailscale_fix_group_start" stop_cmd=":" tailscale_fix_group_start() { local _iface="tailscale0" local _group="Tailscale" local _waited=0 local _max=30 while [ $_waited -lt $_max ]; do if /sbin/ifconfig ${_iface} >/dev/null 2>&1; then if /sbin/ifconfig ${_iface} | grep -qw "${_group}"; then logger -s -t tailscale "tailscale_fix_group: ${_iface} already in group ${_group}" return 0 fi /sbin/ifconfig ${_iface} group ${_group} >/dev/null 2>&1 && { logger -s -t tailscale "tailscale_fix_group: added ${_iface} to group ${_group}" return 0 } fi sleep 1 _waited=$((_waited + 1)) done logger -s -t tailscale "tailscale_fix_group: ERROR could not add ${_iface} to group ${_group} after ${_max}s" return 1 } run_rc_command "$1"

@luckman212 said in Is this possible with Tailscale?: @keyser good questions! I have Tailscale disabled right now on my 6100 while I wait to see if there will be any news on 16784, so I didn't get to try these yet. But my initial thought is it would probably be preferred to use Tailscale's native Serve feature to provide ingress to your RDP servers from other tailnet-joined devices. This way you get the benefit of their granular ACLs, logging etc. Any reason not to go that route? Ideally I agree, but this is a special case in more than one sense. 1: The customer would much prefer NOT to have any access at all to anything behind the pfSense apart from the forwarded ports needed. Call it extra security from operator mistakes 2: There will be 10 sites+ participating in the tailnet, and all LAN subnets on these sites are the same 192.168.100.0/24 (not meant to be routed together), so advertising the subnet will not work on more than one site at the time (unless I come up with tricky masquerading which I won’t)

@vcr58 Glad the script helped you. It's been working well for me too. I thought the format of the QRY and WANT variables was clear, but I just edited the gist and added some more help. Yes, you should use an FQDN hostname from a node in your Tailnet- comprised of the host part and your complete tailnet domain e.g. server23 + tailXXX.ts.net If anyone isn't sure, here's a 1-liner you can run from your pfSense (or any machine joined to the tailnet that has jq installed) to output a list of possible values: tailscale status --json | jq -r '.Peer | to_entries | map(select(.value.DNSName!=""))[].value | "QRY=\(.DNSName)\tWANT=\(.TailscaleIPs | map(select(test(":")|not))[0])"'

@GLaDER I see reboot problems as discussed here https://forum.netgate.com/topic/200417/pfs-won-t-reboot-via-ssh-session/19?_=1774622593964 Wonder if you can take a look and say what you think? TIA

@elvisimprsntr said in Update package?: @sensewolf You can manually update the tailscale package. Myself and others have been doing it for a while now. You can follow along here https://forum.netgate.com/post/1212811 Leave pfSense Tailscale package installed Use the command line to install the latest Tailscale package from Freshports NOTE: Install from FreeBSD 14 or 15 depending on which pfSense version you are running. i.e. 2.7.2 CE is on 14. Latest pfSense+ is on FreeBSD 15 EXAMPLES: pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/All/tailscale-1.82.5.pkg pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.82.0.pkg [image: 1745382816601-screenshot-2025-04-23-at-12.32.27-am.png] 3. Manually restart Tailscale package using the pfSense GUI. NOTE: The pfSense package manager will still show the released Tailscale version, but the Tailscale status page will show the updated version. [image: 1745572198856-screenshot-2025-04-25-at-5.06.19-am-resized.png] [image: 1745572212797-screenshot-2025-04-25-at-5.06.44-am-resized.png] @elvisimprsntr said in tap tap shots Update package?: @sensewolf You can manually update the tailscale package. Myself and others have been doing it for a while now. You can follow along here https://forum.netgate.com/post/1212811 Leave pfSense Tailscale package installed Use the command line to install the latest Tailscale package from Freshports NOTE: Install from FreeBSD 14 or 15 depending on which pfSense version you are running. i.e. 2.7.2 CE is on 14. Latest pfSense+ is on FreeBSD 15 EXAMPLES: pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/All/tailscale-1.82.5.pkg pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.82.0.pkg [image: 1745382816601-screenshot-2025-04-23-at-12.32.27-am.png] 3. Manually restart Tailscale package using the pfSense GUI. NOTE: The pfSense package manager will still show the released Tailscale version, but the Tailscale status page will show the updated version. [image: 1745572198856-screenshot-2025-04-25-at-5.06.19-am-resized.png] [image: 1745572212797-screenshot-2025-04-25-at-5.06.44-am-resized.png] Very effective. Thank you very much.

I know this is an older post, but ran across this same issue. It looks to me when I enable DNS Query Forwarding under DNS options this will allow me to use the default Tailscale DNS and can use as an exit node without issues.

@johnpoz Thanks for this. Helped me today. I ended up handling it a bit differently. I guess your way would make it impossible to re-auth via the GUI if you ever needed to enter a new auth key. What I do instead is run this via a cron job every 10m. It does a few common healthchecks and nukes the authkey from its source rc file if it finds the service is logged out. I haven't tested yet, but in theory this should allow the normal auth + key method to still operate. #!/bin/sh QRY='my-pfsense-hostname.foo-blah.ts.net' WANT='100.100.101.101' #pfSense tailnet IP RESTART=0 res=$(dig +time=1 +tries=1 +short -t a $QRY @100.100.100.100) if [ "$res" != "$WANT" ] ; then RESTART=1 logger -t tailscaled "Quad100 invalid DNS response ($res)" fi if ! ifconfig -g Tailscale | grep -q tailscale0 ; then RESTART=1 logger -t tailscaled "tailscale0 does not have interface group set" fi res=$(tailscale status --json | jq -r '.Health[] | contains("logged out")') if [ "$res" = "true" ]; then RESTART=1 logger -t tailscaled "tailscale is logged out" sed -i.bak '/pfsense_tailscaled_authkey.*/d' /usr/local/etc/rc.conf.d/pfsense_tailscaled fi if [ "$RESTART" -eq 1 ] ; then logger -t tailscaled "Restarting tailscale service" pfSsh.php playback svc restart tailscale fi

@Wolf666 Thank you, I will try it. Unfortunately, since I had already replaced the contents of /usr/local/etc/rc.d/tailscaled and it had been working so far, I will not be able to tell which of the two solved the problem. And of course, I can't find a copy of the old .../rc.d/tailscaled. Therefore, if none of this works, it will require yet another delete and reinstall of everything Tailscale in my system.

@totalimpact in my case I dsid not reboot the router, after I copied the new key tailscale went online.

With Tailscale, I just recommend sticking with the FreeBSD15 version. Yes, it may currently work using the FreeBSD 14 package despite being on 15, but any number of other updates could result in that not being the case anymore. Not to mention the fact that any updates newer than 1.84.2_1 don't really impact functionality for what people would be using Tailscale for with PfSense so updating past that is not an absolute necessity. I run 1.86.4 on my desktop+phone and 1.84.2_1 on my pfsense router. Phone commonly uses the PfSense router as an exit node and there's no difference for PfSense. TL;DR: Better to be safe than sorry and stick with the FreeBSD 15 version even if it's not the latest version of Tailscale.

@maxpol @TravisH Did you get this resolved? I have th esame issues or very similiar. The first tailnet client works, then when i add additional ones they sometimes work, but majoritvly they fail. PFSense+ latest f/w. All endpoint showing online in tailscale status within pfsense and also on the tailscale portal. Thanks