Bridging the Gap: Setting Up Site-to-Site Networking with Tailscale and pfSense

I was first introduced to Tailscale by a friend, and I was immediately struck by how elegantly it handles mesh VPN networking. Setting it up on my pfSense firewalls was a breeze, but after running it as a standard client for a while, I realized I was barely scratching the surface of its potential.

I wanted more than just “remote access.” I wanted my two separate locations to act as one cohesive network.

The goal was simple: bridge two pfSense firewalls so that every machine on both subnets could communicate seamlessly without needing the Tailscale app installed on every single device. After some configuration and testing, I successfully established a transparent site-to-site bridge.

Connecting remote networks via Tailscale on pfSense is a powerful way to bridge infrastructure. However, the connection is only as good as the firewall rules and NAT settings that govern it. To ensure seamless communication between your local and remote subnets, follow this three-step configuration on both pfSense nodes.

1. Allow Outbound Traffic (LAN Interface)

The first step is ensuring your local devices are permitted to send traffic out through the Tailscale tunnel to the remote network.

  1. Navigate to Firewall > Rules > LAN.
  2. Click Add to create a new rule.
  3. Configure the rule with the following parameters:
    • Action: Pass
    • Interface: LAN
    • Address Family: IPv4
    • Protocol: Any
    • Source: LAN Subnets
    • Destination: Network | Enter Remote Subnet CIDR (e.g., 192.168.0.0/24)
  4. Save and Apply Changes.

2. Allow Inbound Traffic (Tailscale Interface)

Next, you must allow the remote subnet to reach your local resources. This rule sits on the specific Tailscale interface.

  1. Navigate to Firewall > Rules > Tailscale.
  2. Click Add to create a new rule.
  3. Configure the rule as follows:
    • Action: Pass
    • Interface: TAILSCALE
    • Address Family: IPv4
    • Protocol: Any
    • Source: Network | Enter Remote Subnet CIDR (e.g., 192.168.0.0/24)
    • Destination: LAN Subnets
  4. Save and Apply Changes.

3. Configure Outbound NAT (The Secret Sauce)

For return traffic to find its way back properly across the tunnel, pfSense needs a specific Outbound NAT mapping. This prevents “asymmetric routing” issues where the remote side doesn’t know how to reach back to your local LAN.

  1. Navigate to Firewall > NAT > Outbound.
  2. Select Hybrid Outbound NAT mode and click Save.
  3. Click Add to create a new Mapping at the top of the list:
    • Interface: TAILSCALE
    • Source: LAN Subnets
    • Destination: Network | Enter Remote Subnet CIDR (e.g., 192.168.0.0/24)
  4. Save and Apply Changes.

Pro Tip: Always verify your connection by performing a traceroute from a device on the LAN (not the firewall itself) to a device on the remote subnet. This confirms that the NAT and routing are behaving as expected.