Bug #15100
open
Tailscale IPv6 Exit Node uses first LAN interface when WAN is set to Only Request Prefix
0%
Description
When Tailscale on pfSense Plus is being used as an exit node for IPv6 connectivity and the WAN interface is set to "Only request an IPv6 prefix, do not request an IPv6 address", it will use the first sequential LAN interface's IPv6 address for outbound connectivity instead. We should probably add an option to Tailscale to select which interface for WAN connectivity is used for the NAT address for IPv4 and IPv6 for outbound connectivity, because this resulted in my internal, secure work VLAN address being used when I had routing policies in Tailscale to only allow access to my home VLAN instead (due to the fact that the work VLAN was the first sequential LAN). Not being able to choose the interface that is used for NAT on the exit node could lead to certain situations where access to resources that shouldn't be is possible under certain circumstances.
Updated by C C 4 months ago
This, or the broader issue of exit node gateway affects me with IPv4.
The seeming lack of configuration ability to select which gateway the exit node will use is sorely missing here.
My WAN interface is used solely for bringing up a separate wireguard tunnel. So this forces WAN to be selected as the default gateway in routing tab.
The issue here is that the exit node/local IP the tunnel binds to, which uses an IP on my LAN network (192.168.2.0), then forces external traffic over the WAN (192.168.1.0) network IGNORING my LAN rules preventing any network on LAN from connecting to any WAN network.
This seems to be quite the security issue for me.
Exit node gateway config is desperately needed.
Updated by Danilo Zrenjanin about 1 month ago
There is a feature request:
https://redmine.pfsense.org/issues/15177