Allowing subnet node to VLAN

I have a tailscale node that is advertising both my main LAN and now my one VLAN. I use Opnsense here at home.

Lan -


On opnsense I have only allowed a group of ips (my devices) to access the vlan so im wondering if I need to allow access from the node on LAN to the VLAN. Im not sure which IP I should be using? The Local one or tailscale? Any help would be great,

Side note: I discovered when using nodes to share an entire subnet that if you use the actual mask your local traffic will still travel through the node. The trick was to change the subnet to one less that way it only goes through when you are not local. For example my advertised route on the trailscale node is set to instead of 24. I think that means I should use 27 on the VLAN as well.

Is your subnet router on both vlans?
Is the opnsense machine your subnet router?

If so, then it should work. The opnsense machine should have routes added when you --accept-routes

I do not have a node on the VLAN network. Only on the LAN network which is advertising the routes.That why im curious if I need to adjust the firewall rules from the node local ip address.

If there’s no node on the VLAN, then there needs to be an explicit gateway/router between the two. Even if the machine that is your Tailscale node is on the same physical network, it won’t be permitted to connect to any devices on that VLAN.

My suggestion would be to install Tailscale on a device on that VLAN, and if you need access to devices that you can’t install Tailscale on, then you can advertise that route.

Basically, your Tailscale node doesn’t know how to reach addresses. So even if you publish the route, traffic can’t flow.

Make sense?

Ah I figured another node on that vlan was needed. I figured maybe it was just a matter of allowing the node on the LAN to forward traffic to the VLAN, but I guess not. No worries, I can do that np. Thanks.

1 Like


So an issue im having with Tailscale is while im on the local network all that traffic is still being sent through tailscale. This should not be the behavior unless im remote. I checked with a tracert and def relaying through TS. Do you know how to avoid this while local?

That is interesting. I’d like some more information from you on that.

Could you email us at with some details?

  • What are the tailnet (100.?.?.?) addresses of the machines?
  • What services are being routed over Tailscale? Pasting the tracert would be useful

thank you.

Yes I did thank you, but I thought I would show an example here. My PC is