I upgraded to beryl 7 and got this nasty issue. I managed to solve it via AI, workaround below. I hope root cause will be fixed by gl-inet team.
When the Beryl is configured to use a remote Tailscale exit node, the router itself gets internet (e.g., curl ifconfig.me works via SSH), but all LAN/WiFi clients connected to the Beryl have no internet — requests timeout completely.
Solution:
Add the missing MASQUERADE rule
bash
iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE
To make it persistent:
bash
cat << 'EOF' >> /etc/firewall.user
# Masquerade LAN traffic going through Tailscale tunnel
iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE
EOF
This is a known issue due to be fixed in an upcoming firmware release where these options are exposed in the tailscale section of the GL.inet GUI.
It can also be solved with persistence across reboots by using Luci GUI and ticking the masquerade box in the firewall settings, see Bruce post here below on how to do this
Yes, we plan to add an ‘IP Masquerading’ button for Tailscale in the v4.9 firmware.
This will allow it to work correctly with Mullvad VPN and other devices that may not handle routing properly, while also reducing configuration complexity in some cases.
