randomizeClientPort false - not working/not clear working method

[vampywiz17]

What is the issue?

I set "randomizeClientPort": false, on ACL. enable NAT-PMP on my opnsense firewall. add this permission on opnsense NAT-PMP settings:

allow 41641 192.168.31.105/32 41641

but not working, tailscale can not open port. when i change it to allow 1024-65535 192.168.31.105/32 1024-65535 tailscale working well, BUT it open a random port...

So i dont understant, why not use 41641, if i set randomizeClientPort to false?

Steps to reproduce

set randomizeClientPort to false and allow NAT-PMP rules

Are there any recent changes that introduced the issue?

Never work.

OS

Linux

OS version

Docker (Alpine 3.19.0)

Tailscale version

1.56.1

Other software

OPNSense

Bug report

BUG-395825eabc37cf549a08c00c5542a0edfda11fe17b368faa036c81ea42c4d8dd-20240116132906Z-729953d00f955b19

[DentonGentry]

The portmapping feature for UPnP/NAT-PMP/PCP always gets a random port. Within your LAN it will be 192.168.x.x:41641, but externally it chooses a random port.

It has to: if there are two Tailscale nodes on the LAN, only one of them could have NAT port 41641 and the other would have to use a different port. So portmap ports are always random.

[vampywiz17]

@DentonGentry I see. So not possible to set it to fix? I use one tailscale on my network (it route all my local network) NAT-PMP settings are simle than to set "Hybrid Outbound NAT rule generation" (it never work on my site...)

I thinked i able it to more secure, that only enable one port that fix use tailscale.

[DentonGentry]

The Hybrid Outbound NAT option described in https://tailscale.com/kb/1097/install-opnsense#static-nat-port-mapping is supposed to do what you describe. It will create a 1:1 mapping of internal port to external, instead of using NAT-PMP.

It does work at other sites, I don't immediately know why it isn't working there.

[vampywiz17]

@DentonGentry

my config is a bit special.

Here my network.

ISP Router, connect via PPPoE to provider (One IP are in DMZ=192.168.1.10) ---> OPNSense WAN (fix ip, set to 192.168.1.10) ---> OPNSense LAN (IP range 192.168.31.0/24) ---> Virtual machine that run Tailscale (192.168.31.105)

If i try this, not working:

https://tailscale.com/kb/1097/install-opnsense#static-nat-port-mapping

NAT-PMP only work, if i set STUN server (see picture) because my WAN adress not a external address.

i think it is the reason that nat port mapping are not working. Any idea, how to change port mapping config that work my case?

[mdedetrich]

So I believe I am experiencing a similar issue, in my case I also have a double NAT due to CGNAT (which also means my IPv4 external address is not stable) and I am unable to get tailscale working on a client machine behind opnsense even after following the guide at https://tailscale.com/kb/1097/install-opnsense#static-nat-port-mapping

According to https://forum.tailscale.com/t/pfsense-nat-pmp-failures/2300/10 there may have been a regression in opnsense/pfsense regarding fixed static IP outband NAT rule, I also created an usptream ticket at https://github.com/opnsense/core/issues/8070 to better co-ordinate the root of the issue.

I also just tried setting a STUN server/port (the same google one mentioned in https://github.com/tailscale/tailscale/issues/10866#issuecomment-1894407922), interestingly tailscale netcheck is now working correctly i.e.

2024/11/19 11:44:02 portmap: [v1] Got PCP response: epoch: 347
2024/11/19 11:44:02 portmap: [v1] Got PMP response; IP: <REDACTED> epoch: 347
2024/11/19 11:44:02 portmap: [v1] UPnP reply {Location:http://192.168.1.1:2189/rootDesc.xml Server:FreeBSD/14.1-RELEASE-p6 UPnP/1.1 MiniUPnPd/2.3.7 USN:uuid:cff3890a-a20a-44ba-42e5-7d8ed972c37::urn:schemas-upnp-org:device:InternetGatewayDevice:1}, "HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=1800\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:cff3890a-a20a-44ba-42e5-7d8ed972c37::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nEXT:\r\nSERVER: FreeBSD/14.1-RELEASE-p6 UPnP/1.1 MiniUPnPd/2.3.7\r\nLOCATION: http://192.168.1.1:2189/rootDesc.xml\r\nOPT: \"http://schemas.upnp.org/upnp/1/0/\"; ns=01\r\n01-NLS: 1732012695\r\nBOOTID.UPNP.ORG: 1732012695\r\nCONFIGID.UPNP.ORG: 1337\r\n\r\n"
2024/11/19 11:44:02 portmap: UPnP meta changed: [{Location:http://192.168.1.1:2189/rootDesc.xml Server:FreeBSD/14.1-RELEASE-p6 UPnP/1.1 MiniUPnPd/2.3.7 USN:uuid:cff3890a-a20a-44ba-42e5-7d8ed972c37::urn:schemas-upnp-org:device:InternetGatewayDevice:1}]

But tailscale ping node still fails.