Can Tailscale let my phone connect to my entire LAN through pfSense?

I’m rather frustrated at this point, since I haven’t done routing or firewall work in 15 years and I’ve forgotten a lot of it. I’ve spent a lot of time researching and trying multiple solutions and feel like I’ve been wasting a lot of time and banging my head against a brick wall for a few weeks. Several people have suggested Tailscale, so I’d like to know if it can do what I want easily without having to set up everything and test it, or spend an evening or two researching only to find out it won’t help me.

At home (and my office, which is on the same LAN), I have a Starlink dish (which means it uses CGNAT), then my Starlink router, then pfSense, and then my LAN. I know I can put Tailscale on my LAN systems, but I change them around, especially multiple Raspberry Pis, for various reasons and I have some systems, like Home Assistant, that are on variations of Linux, but not actual Linux, so I might not be able to put a Tailscale client on them.

I want to be able to put a client package (of Tailscale or something else) on my mobile devices (both on iOS) and a client on my pfSense firewall. I really don’t want to have to put clients on my individual computers on my LAN, for the reasons I gave above. Then I’d like to be able to set up the client on my pfSense firewall so it acts as a client for the entire LAN, so I can use my phone, connect to pfSense, and, from there, be able to reach the entire LAN.

This video makes me think that’s possible, since he uses a diagram showing how he’s bridged 2 networks. I didn’t follow it all, since it’s mostly about configuring Tailscale and I don’t want to get into that until I know if it’ll do what I want. His network diagram - and this is a screenshot:

is close to what I want, except instead of a 2nd network, I’d like to have just my iPhone or iPad that connects to the first network. I also understand Tailscale works without having to open firewall ports. I like the security that provides. (Although, since I have CGNAT, I’m not sure how critical an issue an open port is behind that.)

Is this possible? Is it easy to configure? And can I do it without it also rerouting all my traffic to the main internet by using my iPhone or pfSense as an exit point for everything?

At this point, IF I have a solution I know can do what I want, I don’t mind doing the work for it, but I’m exhausted because I’ve been setting up and testing other solutions and have spent a lot of time on ideas that either just won’t work or do what I want or that I just can’t make work.

I don’t use pfSense myself, so I can’t claim to have practical confirmation for pfSense in particular.
But yes! This should totally work, because any tailscale node can advertise routes of a network it’s connected to, such that external devices (connected to the same tailnet) can access the network behind that node.
And there is also a Tailscale plugin for pfSense.

In the settings you can set “Advertised Routes”, where you can enter the subnet you want to allow your phones access to (whenever they are connected via tailscale).

The gist is:

1. Install Tailscale plugin on pfSense (via the package manager).
2. Start it (VPN → Tailscale).
3. Generate an AUTH-KEY (via tailscale’s admin console website) and paste it into the tailscale plugin.
4. In the “settings” tab:
   • Enter your LAN’s IP range into “Advertised Routes” (in CIDR notation), e.g.: 192.168.178.0/24
   • Enable tailscale (via the checkbox).
   • Save

That’s it for the main steps on your LAN side.

Then install the tailscale app on your iOS devices, authenticate them and once you’ve successfully connected them to your tailnet, they should be able to reach IPs from your LAN (via the subnet route you advertised in step 4).

There are a few more details of course, like settings for the AUTH-KEY, MagicDNS settings, ACLs, etc.
But this is all you need to setup the routing so that your external tailscale devices can access the network behind your pfSense tailscale node.

---

Here some links to start you out with:
Tailscale: Subnet routers and traffic relay nodes (for allowing access to LAN’s behind a tailscale device)
WunderTech: How to Set Up Tailscale on pfSense in 2023 (You don’t need the “Advertise Exit Node” setting though)
Tailscale: Considerations when using firewalls
Tailscale: pfSense settings to enable direct connections

I also don’t use pfSense, however, my setup is similar. I have T-Mobile Home internet that uses CGNAT, connected to my Ubiquity router (running Tailscale on it), then connected to my LAN. I advertise my subnet on the router, and I am able to access everything on my local home LAN from outside my network via Tailscale installed on my Android phone.

I’ve read both replies so far and thank you for the time. I’m dealing with more frustration because I tried to update pfSense today. There’s a problem with the EFI partition size, so I have to update it through the console and the drivers that should work with the chip in the SG-1100 are not working for me on either Linux or macOS. I tried installing Tailscale earlier, but it won’t install with my current version because it lacks some newer PHP improvements, so until I get this issue resolved, I’m stuck.

I have considered setting up a client on one of my other systems in my LAN, but I don’t want to go through that process and still have to install it on my firewall. (My firewall is the one system I can count on ALWAYS being up if anything is, so I want to base it there, not on another system.)

When I get the upgrade issue fixed, I’ll report how things went with Tailscale.

I’ve done it both ways. I always end up having it installed on my router. But I do have a Virtual Machine that I have used as well that works just fine. I keep it around just in case I need it for something. It may be worth installing it on something and setting it up just to get a feel for how everything works. You can always remove that client when you have it working on your gateway.

Say I downloaded a Linux client and put it on a Linux system. Just a guess - how long are we talking to get it set up? Minutes? An hour? Several hours?

it takes me minutes, but I have done it a few times. There are instructions on the Tailscale website. You will want a ‘subnet router’, not an exit node.

Thanks!

If I seem picky or reluctant to try it, it’s because I’ve gone through so many services, programs, or procedures that just would not work. The only one I’ve tried where I think the issue is me is OpenVPN. From what I understand, it should work, but I followed the directions and got help and I still could not connect to my LAN like I wanted. (Also, I was following instructions on multiple sites, since I had to put parts of the process together. I think info on the various sites may have created conflicts.) I have spent so much time and effort on this, I’ve reached a point where I want to know what to expect before I jump in.

I have found a Linux version with a late enough kernel I can put it on a RPi and I should be able to get the USB driver to work to communicate with my pfSense box, so I’m going to try that first (since, no matter what, I need to upgrade pfSense once I can make it work). If that works easily, I’ll do it on pfSense. If not, I’ll set up an instance on my Linux media server and use that until I get pfSense upgraded so I can use that.

Once you have the subnet router running, be sure to log into your admin console (tailscale.com/admin) and approve the routes. It won’t work until you do that.

I have it up and running. Turns out the pfSense upgrade issue was hardware - apparently the case is a bit thick and I’m not the first person to have an issue plugging the cable into that particular port. I guess the last cable I tried (the 5th one) had a connector a bit longer than the others and it worked. (It was later I found this is apparently something others have reported.) Once I got that working, I had the firewall upgraded in 10 minutes.

From there I set up Tailscale - and it’s working well! I did run into one thing I’m hoping can be made a bit easier for me. Here’s my post about that.