TL;DR
Open LuCI (192.168.8.1/cgi-bin/luci), go to Network → Firewall, find the tailscale0 zone, enable Masquerading, hit Save & Apply.
That’s it.
The Problem
I bought a GL-MT3000 Beryl AX hoping it would work as a subnet router for my Tailscale exit node out of the box. The setup seemed straightforward — connect the router to Tailscale, select the exit node in the GL.iNet admin panel, done.
The router itself routed correctly through the exit node. But any device connected to it had no internet access at all.
Is This Your Problem?
First, verify the router is actually routing through the exit node. Enable SSH in the GL.iNet admin panel under System → Security (disable it after you are done), then:
ssh root@192.168.8.1
curl icanhazip.com
If this returns your exit node’s IP — but devices connected to the router can’t browse the web — you have the same problem.
The Fix
Step 1: Open LuCI
In the GL.iNet admin panel, go to System → Advanced Settings, and install LuCI if you haven’t done this already.
Step 2: Enable Masquerading on the tailscale0 zone.
- Go to Network → Firewall.
- Find the
tailscale0row in the Zones table. - Check the Masquerading checkbox.
- Click Save & Apply.
Why This Works
Your LAN devices have private IPs like 192.168.8.x.
When their packets travel through the Tailscale tunnel and get decapsulated by the exit node, the exit node sees 192.168.8.x as the source IP.
That’s a private IP it has no route back to — so replies just get dropped.
Masquerading rewrites the source IP to the router’s own Tailscale IP (100.x.x.x) before the packet is encapsulated and sent into the tunnel.
After decapsulation, the exit node sees a 100.x.x.x source — an address it knows exactly how to route back to.
I’m not sure why this isn’t enabled by default. As far as I can tell it’s a firmware bug — there’s no scenario where you’d want exit node routing for LAN clients without masquerade.