Direct connections without NAT-PMP or UPNP on OPNSense

I just installed OPNSense to be in front of my network and now all the devices behind it can’t make direct connections, they used to be able to when it was just the ISP router behind.

Now I get “Varies” as “Yes” on the “Client connectivity” part of every node that is behind OPNSense.

What can I do (besides enabling NAT-PMP and UPNP which I don’t particularly enjoy)?

Thank you.

The ISP router was likely “easy NAT”, where tailscaled sends a UDP packet with source port 41641 and the ISP router rewrites it to the same NATed port every time. tailscaled figures out easy NAT by sending UDP frames to a number of the DERP servers to check if it is always the same.

OPNsense is “hard NAT.” Every destination gets a different NAT rewrite, so tailscaled can’t know what port number the other end will see. If both ends of the connection are hard NAT, then it has to fall back to DERP. Having even one side be easy NAT allows direct connections.

The only way I know of to get direct connections through OPNsense is by enabling NAT-PMP, which is what WireGuard mesh network using OPNsense · Tailscale recommends. UPnP would work as well, but NAT-PMP is a better protocol and tailscaled only needs one of them.

I ended up enabling NAT-PMP just to test and it still didn’t connect directly to the server it was connecting before I put the node behind OPNSense, ended up forwarding ports on OPNSense, but the result was the same.

The only way I ended up achieving what I wanted was port forwarding 41646/udp from the remote node (which is also behind an ISP modem/router), after this a direct connection was established. I will keep testing as I don’t like giving my devices authority to open holes on my firewall at will.