pfSense is an open source router and firewall platform built using FreeBSD. Tailscale clients behind a pfSense firewall can benefit from a settings change.

Direct Connections for LAN Clients

As a router/firewall, pfSense may also be providing Internet connectivity for LAN devices which themselves have a Tailscale client installed. The NAT implementation in pfSense is an Endpoint-Dependent Mapping, or “hard” NAT, which means that LAN devices have difficulty making direct connections and often resort to DERP Relays.

Enabling NAT-PMP in pfSense can enable devices on the LAN to make direct connections to remote Tailscale nodes. NAT-PMP is a protocol by which LAN clients can ask the firewall to temporarily create port mappings.

Enable the UPnP service and Allow NAT-PMP Port Mapping in Services > UPnP & NAT-PMP. Only NAT-PMP is needed for Tailscale’s use, but enabling UPnP can be helpful for other applications like gaming consoles.