Beryl AX (GL-MT3000) using a tailscale exit node

Hi,

I just got a brand new Beryl AX (GL-MT3000) and I wanted to set it up to have an exit node so all the traffic gets routed trough my home network even when travelling with my router.

I tried following the documentation. But in the end my devices connected to the router weren't able to connect to the internet (even when setting manual DNS like those from Google). I also made sure to approve the 192.168.8.0/24 subnet il the Tailscale admin console. As well as use --accept-routes on my exit node device as I saw it could be useful here and was expecting my exit node to do this anyway.

None of these things worked.

What did work though is the manipulation described in this comment. But as I am not super familiar with OpenWRT and the luci interface I am not not 100% sure what these changes mean and if they are safe for me to do.

Could someone help me with this? Did I missing something in my initial configuration? Is the change in the luci configuration expected and safe?

Thank you!

Luci configuration safe.

You can install the TS client in the phone/computer, etc, to verify whether the exit node is available.
If available, please reset router and enable the TS in the GL admin panel, rebind it (let the TS re-create the route table), and in general there are not require configuring anything in the LuCI and SSH.

Luci configuration safe.

Thank you that is good to know.

You can install the TS client in the phone/computer, etc, to verify whether the exit node is available.

This works fine, I have been using this exist node with my phone and laptop for a while.

If available, please reset router and enable the TS in the GL admin panel, rebind it (let the TS re-create the route table), and in general there are not require configuring anything in the LuCI and SSH.

Just to clarify the ssh config I did was on the machine that acts as the exit node, not on the router itself.
In any case even after a reset my machines that are connected to the router are not able to connect to the internet unless I do the changes in LuCi.

I was able to understand why this is happening though. On tailscale I am not using the default ACLs ({"action": "accept", "src": ["*"], "dst": ["*:*"]}) but instead have been using something more restrictive ({"action": "accept", "src": ["autogroup: member"], "dst": ["*:*"]}).
With my more restrictive ACLs the machines in the 192.168.8.0/24 subnet are not allowed access to the internet. The change in the LuCi configuration allows the machine of the subnet to masquerade as the router (from my understanding thanks to this youtube) and thus to gain access to the tailscale network and internet.
I am not a fan the way this LuCi firewall configuration is done, and I am still a bit afraid that it might be unsafe for some reason when not using the exist node so instead I was able to setup a NAT rule so that traffic gets masqueraded as the router when using the tailscale0 device:

Name: Tailscale
Protocol: Any
Outbound Zone: Any Zone
Source Address: Any
Destination Address: Any
Action: MASQUERADE

Maybe it could be worth it to add a note about ACLs in the official documentation to help others find a solution that works for them.

And for the sake of being complete about my findings adding: Adding this {"action": "accept", "src": ["192.168.8.0/24"], "dst": ["*:*"]} to the ACLs also gives access to tailscale and the internet but it seems to be less safe in my opinion because any machine in the tailnet could expose a subnet like this.