[OPNsense] NAT Reflection with connected client exit node


I run Tailscale on OPNsense router with routes and exit node advertising.
Everything works well. I can reach my different routes and use my OPNsense as exit node.

The problem is when I’m connected to the OPNsense through Tailscale with exit node enable, I can’t access to my different service hosted on my network with the external IP (actual dns).

The solution with standard OPNsense config is to enable:

  • Reflection for port forwards
  • Reflection for 1:1
  • Automatic outbound NAT for Reflection

It’s work for all my subnets but not for Tailscale.

How I can enable nat reflection / nat loopback with Tailscale ?

Nobody knows how to do that ?

If I’m understanding properly, you want to use the public IP to access your machine. If you’re using an exit node, those requests will appear to be coming from the internet, rather than from the LAN.

Can you normally access your services from the internet?

Yes, I want to access my server through my public IP. It’s work well on my LAN or from outside but not with Tailscale.

And yes, my server is accessible from the internet.

Every time I’m connecting to Tailscale with my router as exit node, all my service become unreachable.

Would you please send us your tailnet details and Tailscale IP of the node you are accessing to and from with the tailscale bugreport captured on failure on support@tailscale.com?

Yes, that is expected.

When you use an exit node, it routes all of your traffic through that node. There’s no routing backwards.

If you use --exit-node-allow-local-lan-access it should allow you to access your services normally.

I use --advertise-exit-node and --advertise-routes.

I’m connecting to my node with an Android phone. I can’t use the --exit-node-allow-lan-access option.
I still tried this option from a computer, but it doesn’t work.

We don’t yet have a setting to allow local LAN access from iOS or Android.

If it’s not working from a computer on the LAN, that is another issue. If that’s the case, can you create a bugreport close to the time of failure, and email the code it generates to support@tailscale.com ?

If you include a link to this thread, we’ll know the history here too.

I will do that. I will create a schema of my network too for better comprehension.