Using LAN domain as default

I am thrilled that Tailscale took less than 2 hours, total (including reading directions) to set up to do what I had been trying to do with a VPN for a few weeks. (People kept telling me it was easy on a VPN, but that’s because they already knew VPNs inside and out - I don’t.)

I have a pfSense firewall with the LAN for my house and office behind it on a single LAN. My goal from the start was to be able to connect to my LAN from outside. My ISP uses CGNAT, which was the main issue. (But once I found out how port forwarding opens up one’s LAN, I wanted to avoid that and use some kind of VPN instead.) At this point I only have 2 mobile devices, a phone and a tablet.

I’ve set up the client on pfSense so I can reach my LAN systems from my phone from outside. Let’s say my LAN address space is 10.42.3.x and the domain is beleriand.arda and I’m trying to reach one system, nargothrond, in the LAN. On my phone, in my browser, I can type in nargothrond.beleriand.arda and reach the web server I have set up there. Also, on my phone, in VLC, I have to give include the full domain. Is there a setting I can use so, from my phone, I can type just nargothrond like I do from within the LAN, where just something like “ping nargathrond” will work?

I’m having issues with this now. Last night I could use the LAN domain and it’d work. Then, under DNS, I turned off “This will only be used for some domains.” (Figuring that’s what caused the problem.) Now I can’t use domain or machine names to reach my LAN. I tried changing it back to tell it to work for only some domains and enter my LAN domain, but I keep getting an error message that it can’t save that. (It’s the same settings I had successfully saved last night.)

I could be wrong since DNS isn’t my area, but I think the only way this will work is if you have a local DNS server that resolves to your internal IP addresses. Then you would use split DNS in Tailscale. That is how I am doing it for our office. But I think even with that you would still need the domain name.

A tailscale client will first try to resolve a DNS query via the tailnet’s DNS server (
If that can’t resolve it then it will try the DNS server set locally in the client (that it got either via DHCP or manually).

In the scenario where you are outside of your LAN and want to access a domain that can only be resolved by a DNS server inside your LAN, you’d have to tell your tailnet to pass DNS queries for certain domains to a specific DNS server (inside your LAN).

For example, if you want to reach beleriand.arda from your phone when you’re on-the-go (and the phone is connected to your tailnet), you would have to create a “Split DNS” entry in the DNS page of the tailscale admin console.
To do that you click on “Add nameserver” → “Custom…”, set the IP to the DNS server of your LAN, then enable “Restrict to domain (Split DNS)” and enter arda.

(You might need to re-connect your phone’s tailscale client, just to make sure the new settings are applied.)

Now when you enter beleriand.arda in your phone’s browser (while outside the LAN, but connected to your tailnet), the DNS query will first go to your tailnet’s DNS server (i.e.

That server will see that there’s a Split DNS entry for arda domains, so it will redirect the query to the IP that you set up for it (i.e. your LAN’s DNS server).

And since your pfSense device is sharing your LAN’s subnet into the tailnet, the request will be routed all the way to your LAN and to its DNS server, which will resolve beleriand.arda to the correct LAN IP.

Finally your browser, now knowing the IP for beleriand.arda, will make a GET request to it, which again will be routed all the way to your LAN and the respective web-server, etc.

EDIT: Shoot, totally overlooked your response muzicman0. You basically said the same, only more concise and to the point. My bad! :person_facepalming:

Yes, I do. My pfSense firewall does DHCP/DNS duties for the LAN and forwards request it can’t resolve to internet DNS. So if I try nargothrond, it automatically appends beleriand.arda to it to resolve the IP address. Of course if I type it all (nargothrond.beleriand.arda), it’ll handle that, too.

Okay, I do that by advertising an available subnet on the Tailscale client on my firewall, right? I’ve specified it handles only some domains and added beleriand.arda to it.

Just do that on the regular DNS page, right? I have that setup and it lists beleriand.arda and an icon to show it’s a split nameserver. Also did the “Restrict to domain” on there.

Ah - yeah, didn’t think about that. I think that’s why I lost function for a while - it was propagating through.

I’ve got that working, so if I type “nargothrond.beleriand.arda” it does find the right computer and connects.

What I’m wondering if can do is remove the need to type the domain name. Within my LAN, if I want to load the OctoPrint webpage interface on nargothrond, all I have to type into the browser is nargothrond and it comes right up. Of course, if I type nargothrond.beleriand.arda, I get the same result. I don’t thumb-type that well and was trying to make it easier when I’m out. So is there a way to set it so, when I’m out, I can just type nargothrond and, since Tailscale’s DNS at doesn’t see it, to pass that on to my LAN’s DNS (since it’s advertised and Tailscale knows about it), and see if my LAN’s DNS can handle it. That way if Tailscale DNS says, “Can’t do it,” it lets my DNS look at it, and my DNS would then automatically append the domain to the system name, just like it does on my LAN. In other words, so, on my phone, with Tailscale, I could just type nargothrond in my phone browser and have that passed on to my DNS and resolved.

Advertising (and then enabling) a subnet won’t automatically pass off DNS queries TS can’t resolve to the subnet. It only makes the subnet’s IPs available to connected tailscale devices. What enables the passing off of DNS queries is the Split DNS entry.
Or at least that’s one of the ways. You could also set your LAN’s DNS server as a global nameserver in the TS admin console. Doing it with Split DNS you can limit which domains will be passed off on initial fail, whereas doing it the global way will pass off any domain that initially failed to resolve (via TS itself).

Oh I get what you mean now. Yeah that should be possible with search domains:

Quote from link:

Search domains provide a convenient way for users to access local network resources without having to specify the full domain path every time they connect to a resource.

So basically, go to the DNS page of the TS admin console and locate the header “Search Domains”.
Click on the button “Add search domain…” and enter beleriand.arda.

Now when you enter nargothrond from outside the LAN, tailscale will at first not be successful getting nargothrond resolved (neither by itself nor by passing it off). So immediately afterwards it will add beleriand.arda to it and try again, which should finally be successful. :slight_smile:

Yes, it works! Kind of strange. First I set that up and saved it, then went to my phone and turned off the connection then turned it back on. (Or should I fully log out and back in to update the connection?) It seemed to take a while to behave. I’m using Safari on an iPhone. I’m sure some behaviors differ due to OS or browser choice. First time I typed “nargothrond” into Safari, it just did a Google search. I used my term program on the phone and “ping nargothrond” worked. Went back to my browser and used “http://nargothrond” and it worked. Then I tried a few other sites, like Google and they took a while to load. Once I got non-LAN destination to load, other internet sites loaded quickly. It was as if it was taking time to get all the parts set up, since, eventually, everything worked okay. I can now type “nargothrond” in the browser and it gives me the OctoPrint interface, like I want.

One other technical question, while we’re on this subject: Say I’m at home, with wifi on, and I go to nargothrond in my browser. Does Tailscale try to “grab” the transaction and connect through Tailscale, or does it let the connection through wifi try to do it first? In other words, now that this works, if I’m at home, on the LAN, will Tailscale still keep control and route the connection from my phone, through internet, through the Tailscale servers, then back through my ISP, to my LAN, and finally to my system on my LAN?

The first time you enter something into a browser that doesn’t have a TLD (or really, doesn’t have a dot), like something that is just one word, most browsers assume it’s not a domain but an attempt to use the search function.
Because of that you have to explicitly provide the protocol (http://, https://, ftp://, etc.) for the first time you try to surf to a one-word domain (that doesn’t have a dot).
Afterwards the browser should remember and let you get to the website with just the word (as it’ll prefix the protocol from memory).

Hmm, this could be because your connection went through one of Tailscale’s DERP relays instead of a direct connection. In a CLI, try to ping another tailscale node via tailscale ping <NODE>. If it’s the first time the nodes communicate you’ll first see a few DERP pongs, until finally tailscale finds a direct path and shows a pong not via DERP anymore.
From then on any subsequent ping should be over the direct connection (and thus faster).

So every time two nodes start to communicate for the first time (or after reboot, not sure), it might take a little until they found a perfect route. There are some situations that might prevent direct connections and make the node only use DERP nodes. Especially in connection with firewalls like pfSense, there’s something you can do to prevent that. See here for details and what you can do:

Basically for pfSense, it seems you have to “Enable NAT-PMP, or static NAT port mappings” to prevent being forced over DERP relays.

That depends on how your phone’s local DNS servers are set.
If you’re on your WiFi, then I’m assuming your phone will get a gateway or DNS server assigned from your WiFi router that can resolve queries for your LAN.
So if you’re at home and have your phone still connected via tailscale, then the first DNS query for nargothrond would go to (which is still local, i.e. not on the internet) and fail. Afterwards it would try any Split DNS that could resolve for it (or it tries them even before the, I’m not sure atm), and if that fails as well it would finally try the DNS server local to your phone (i.e. assigned by your WiFi), which would then resolve the domain to its LAN IP.

NOTE: If you enabled “Override local DNS” in the TS admin console, then this will do exactly that and not let your phone’s locally defined DNS server resolve the query. Instead the last DNS servers that will be tried are the ones you added as global DNS in the TS admin console.
So if you want your devices to alwys be able to fall back to the DNS servers they’re receiving via DHCP (while connected to TS) or that you set manually in the network adapter settings, then don’t enable “Override local DNS”.

But if you rather prefer to manage a global list of DNS servers that every TS device should use (as long as they are connected via TS), then you can of course add your LAN’s DNS server as a global DNS server in the TS admin console and enable the “Override local DNS” setting.

Okay, I have it working, but I’m finding it best to keep Tailscale turned off for my mobile clients and to turn it on only when I need to use it. It can lead to slower performance with other programs. One example is When I solve a puzzle, it has to contact the server. With Tailscale connected, the connection always times out.

Yeah, I keep it off on the phone as well when not needed.
I’ve read that for some people it uses more battery when they leave it connected all the time.
I haven’t noticed that myself, but better safe than sorry.^^
Glad you got it all working now! :beers:

That’s good to hear - since it tells me it’s not just me and that I’m likely not doing something wrong to have some issues.

Thanks for the help!