Hey guys, so I’ve been self hosting for 2 years, making small upgrades until I reached this point where I replaced my router with one of those Chinese fanless firewalls running Intel n150 and running a proxmox homelab.
I am self hosting headscale with many of my buddies connected, including ny own services. Everything was working great until I setup OPNsense.
The firewall was not easy to setup, but after I set it up, I discovered odd behaviors from tailscale.
The firewall was blocking all connections from the ip 100.60.0.0/24, I had to explicitly allow it and change the forewall state to hybrid
What happens is that my LXC containers running tailscale would receive requests from tailscale0 interface but respond via LAN.
Apparently as I understood, consumer routers have assymetric NAT so that works fine, but not with opnsense.
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
For now temporarily I set an ip route to tailscale0 and resolved it that way temporarily, but I still cannot get a solution that can help without compromising the firewall.
It’s also very cumbersome to do this for 50+ LXC containers over and over, even with running systemd scripts a problem might happen in the future
If you guys have any experience with this it would help a lot.
You must log in or register to comment.
I might have a solution for you by doing what I’m doing. I’m running OPNSense as my firewall as well. I have one NAT:Port Forward rule for torrents (I really am seeding linux iso torrents) and that is it. Any services I’m hosting outside the network are done using Cloudflare tunnels from either a Cloudflared instance or from the LXC itself. This method has fixed my issues with Plex outside of my network since I was able to turn off “Remote Access” and make it available to my friends/family through a “Custom server access URL” (in the network settings, looks like: https://plex.domain.url,http://192.168.1.xx:32400/). No messy NAT rules to complicate things.
I am also using Tailscale, but I don’t terminate it on my firewall. I terminate Tailscale on another host inside my network, you could probably use an LXC container. It’s a Debian system with Tailscale installed, routing enabled (https://tailscale.com/docs/features/subnet-routers), and set up as an exit node and subnet router. On OPNSense, I set up a Gateway on the LAN interface pointing to my Debian Tailscale router node. Then I pointed the remote networks of my family to the Tailscale router using the routes in OPNSense. Fortunately, for me (and because I set them up), they are all different networks.
The benefit to this method is also that when remotely reaching my services, the traffic looks to the services on my network as if they are coming from the Tailscale router and so return there instead of trying to go out my firewall. Tailscale maintains the tunnel through the firewall so it really isn’t a participant in the Tailnet. The only issue I’ve really had had been DNS with the Tailscale Magic DNS wanted to respond instead on my internal DNS servers. I’ve got MagicDNS disabled. but it always messed stuff up. The way I fixed it was to put Tailscale on my Adguard container and make it’s Tailscale IP the first DNS server, followed by the internal IP addresses of my DNS servers (192. addresses). This has worked for me pretty well.
Please let me know if you want any follow up info. I’ve been doing this for a long time. It’s my main hobby (and directly congruent to my job).
Edit: My security tingle just activated from what I told you. I am the only user on my Tailnet. If you use this method, you will want to configure the Tailnet ACL’s/grants appropriately to restrict access to only what you would want another user to use, rather than have full access inside your network. You can add each host inside your network that they would reach as an ipset and then set restrictions for users inside the rules. I will admit that I did have to use some AI to figure out some of the specific syntax for the access controls, but understand it pretty well now.
No experience with tailscale, but I have opnSense on a firewall appliance like yours and run two wireguard networks one from the opn itself and one from my home server, which is in the DMZ. They all work just fine…
They have different scope and remote peers, but both use my VPS as enter gateway since I am CGNATted.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol LXC Linux Containers NAT Network Address Translation Plex Brand of media server package VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
7 acronyms in this thread; the most compressed thread commented on today has 19 acronyms.
[Thread #136 for this comm, first seen 6th Mar 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
I don’t use Tailscale or Headscale as I’m the only user and happy with Wireguard.
But I had to add my Wireguard interface as default gateway for it’s IP range to my router. Maybe this was set on your old router but isn’t configured yet?
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
Opnsense is not my forte, but I do run it’s counterpart pFsense. I use Tailscale as an overlay VPN on both the server and on my standalone pfsense firewall as a pFsense package. Is there a reason you don’t want Opnsense firewall via tailscale? My set up is as follows:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
It doesn’t make sense to me to expose it to the tailnet even with ACL, on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.
But what exactly do I benefit from adding the firewall directly part of the tailnet? It’s kinda weird when you think about it, this bad boy is the highest tier device where internet comes from and having it to connect to my homelab that depends on it for internet and having the firewall depend on the homelab for tailscale
But what exactly do I benefit from adding the firewall directly part of the tailnet?
Protection of the firewall via it’s overlay VPN characteristics, and communication to the server behind the firewall via an encrypted tunnel.
Have you considered using Cloudflare Tunnels/Zero Trust? With Cloudflare Tunnels/Zero trust, you don’t need to open or close ports, fiddle with NAT, or any of that. You install it on your server, connect to Cloudflare, it punches a hole for the encrypted tunnel. I personally use Cloudflare Tunnels/Zero Trust. Their free tier is quite generous and has many options like Anti-AI scrapers, etc. The caveat to using Cloudflare Tunnels/Zero Trust is that you have to have a domain name that you can edit the nameservers thereof to Cloudflare’s assigned nameservers for obvious reasons. Cloudflare will sell you a domain name, but a lot of people just get a cheapy from NamesCheap or Pork Bun. I got one for less than $5 USD that renews at $15 USD annually.
So, in the scenario that I described in my first response:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
…is all done through Cloudflare Tunnels/Zero Trust with Tailscale on the server and Tailscale on the standalone pFsense firewall as an overlay VPN protection. Additionally, Tailscale makes for a very secure, emergency ‘backdoor’ to your server should you ever screw up and lock yourself out.
on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.
I’ll have to defer to someone more experienced with Opnsense.
