Feedback on Tailscale implementation, v4.2 firmware

I’ve been playing with Tailscale on a GL-AR300M (NAND) and a GL-MT2500.

Standard OpenWRT/Luci with the packages pulled down from the public repos has been the best result for me. I don’t see the GL.iNet web UI as a useful thing. Luci and ssh/command line are better options. Configuring Tailscale on command line and firewall in luci.

have been running the tailscale 1.36.0 versions on
shadow: OpenWrt 22.03.3, r20028-43d71ad93e
brume2: OpenWrt 21.02-SNAPSHOT, r15812+873-46b6ee7ffc. (beta2)

pulled tailscale ipk files from:

Welcome to the forum. I am sure that a lot of users here including myself would greatly disagree with your statement of “I don’t see the GL.iNet web UI as a useful thing”. It has been incredibly useful for someone like myself who does not wish to use Luci or command lines.


I think early iterations of the GLI UX did provide a good bit of value add, especially for less technically inclined users. I don’t necessarily have a problem with many of the “features” that have been added in recent releases, but unfortunately the some of the choices that have been made in their implementation break basic functionality for other packages in the OS (including Tailscale, ironically). To me, that is where the GL.iNet UX transitions from a minor value add to a substantial negative. I get that I’m in a minority with that view, but the stock firmware build actually hinders me from using the device as I would like to.

primum non nocere

some feedback form my side - I want the physical switch to be able to toggle tailscale exit node tunnel. It’s my primary VPN, so it would be very useful for me if I could flick the switch and then all traffic goes over my selected tailscale exit node

(not related to tailscale - but turning on/off DNS-over-TLS/HTTPS (NextDNS) as a switch would also be very useful for dealing with captive portals, then enabling DNSoH again after authentication succeeded)


Latest snapshot, having the same issue that was reported here: Router is able to ping and connect to devices within the tailnet, but devices connected to the router aren’t able to do so

Same for MagicDNS

You might try disabling mwan3:

You’ll also have to create a tailscale interface and firewall rules in luci, but I assume if exit-node works, normal outbound traffic will too.

Can you go more into detail what settings you did to get tailscale in general working? Added a new unmanaged interface in luci and assigned it to the tailscale interface, added firewall rules to allow to/from lan/wan.

Also tried adding static routes to manage the entire 100.x.x.x address space and route it over the tailscale device, but my clients are still not able to get a connection going. Just ends up timing out.

Did you disable mwan3 as described in the thread I sent?

Actually just managed to get it working (like it usually is after posting publicly about being stuck :p)

What I did:

  • In luci, go to interfaces, add new unmanaged interface. Name tailscale, Firewall settings: Create new zone “tailscale”, Interface: tailscale0
  • In firewall settings, add new zone forwarding for tailscale → lan, tailscale → wan, lan → tailscale
  • In firewall settings, go to NAT Rules, add new NAT rule: Protocol: any, Outbound zone: any, Source/Destination: any, Action: masquerade. Go to “Advanced Settings” and set “Outbound device” to tailscale0 interface

Rebooted the router and now all my clients are able to communicate to devices within the tailnet

While it’s working now, these steps shouldn’t be necessary at all if tailscale is considered to be first-party supported. it should setup those firewall routes automatically, similar to how OpenVPN is handled, when these checkboxes are set:


Last one, I managed to get MagicDns on my clients working as well.

Trick is to set DNS forwarding for your tailscale domain to the tailscale DNS server (

In Luci: Network → DHCP and DNS → Add a forwarding record like '/'

Honestly, this is pretty great. I can access my entire tailnet just by having the router connected. There are some security implications of using the router as gateway into the tailnet (ACL, etc.) but still very cool. Makes me wish the UniFi UDM I’m using as my primary router had similar functionality

1 Like

what sort of magic is in the included 1.32.2-dev version of tailscale that is not in the mainline tailscale repo?

I am able to get the 1.32.2-dev version to work with using an exit node on a new beryl AX but if I pop in 1.36.x nothing can get out of the router. tailscale stops connecting and no traffic passes through.

I am familiar with the mwan3 and firewall rule 52 type stuff, not finding the current issue that just makes tailscale work fine other than when using an exit node.

It changes the tailscale ip route table to 55 and chunks an extra 0 on the bypassmark/marknum.

You could probably look at the patch in the repo and alter it based on any changes to linux_router.go.


with above setting,
client(subnet: did not connect to tailscale device(subnet:,
and tailscale device did not also connect to
but finally resolved problem with cli command like below.

sudo tailscale up  --advertise-routes= --accept-routes


do you have any news for an “advanced panel” for choosing another controler server ?
i’am on an AXT1800 model

and i thanks FountainHospital for the mini guide :slight_smile:

but finally resolved problem with cli command like below.

sudo tailscale up  --advertise-routes= --accept-routes

I found that this cli command must be needed if IPv6 with NAT setting.
With IPv6 Native or Passthrough or Disabled IPv6, above GUI setting may work properly.

Hi @FountainHospital thanks for this tutorial. This is exactly what I’m looking to do instead of setting up tailscale on each client.

I am struggling with your setup though. Do you think you could help me? I followed the interface and firewall setup exactly like you described, but here’s what I get when everything is done:

ping /t

Pinging with 32 bytes of data (ping from a client connected to the router with tailscale):
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from bytes=32 time=210ms TTL=63
Reply from bytes=32 time=38ms TTL=63
Reply from bytes=32 time=40ms TTL=63
Request timed out.
Request timed out.

My tailscale SSH sessions connect and on the first keypress they disconnect. Looks like some settings fight with each other. Also, I cannot access advertised routes from other nodes.
I can provide logs/screenshots if necessary.
P.S. I am using Beryl AX MT-3000 FW v4.2.1

Did some more testing. Enabled one of tailscale exit nodes. The router itself reports exit node IP, but a client connected to the router reports router’s WAN IP. Before setting up these firewall rules, when I enabled exit node - all traffic stopped and clients did not get internet. Not good…

Tried to disable mwan3 - no changes. Reverting back.

My main goal is not to access the router via WAN or LAN, but to access my tailnet via the router from devices connected to it

Sorry I’m not fully sure. I just checked my setup and it’s mostly what I wrote in my previous 2 posts, of course with Tailscale turned on in the normal gl-inet router settings. Then added DNS forwarding for my tailscale domain

DNS forwarding is a bit wonky and sometimes my domain works, sometimes it doesn’t. But direct IP so far has been working for me

I’m not using the exit-node stuff currently but I’ll see if I have some time later to poke around with it

Disabling mwan3 is pretty key here, in my experience.

@jdub I tried disabling mwan3 - this lead me to no changes…
I read on on one of the threads here that tailscale process keeps restarting and this is what I experience as well. Even going back to GL.Inet GUI I can see Tailscale Connecting (yellow) … Connected (green) … Connecting … Connected.
I think when the next firmware arrives I’ll try to wipe all tailscale leftovers and try again,

When trying to manually add firewall rules via a Tailscale interface, something causes a tailscale down/tailscale up loop

This is my experience now. I like the idea of not touching GL.Inet UI (until they work on it) and doing it all in luci/SSH. I will try it in the next few days.
From what I’ve gathered so far --advertise-routes is necessary not only for inbound (from tailnet to router) but also for outbound: Clients → Router with TS → tailnet.
Disabling mwan3 is critical for the exit node functionality, which I am currently not too concerned but nice to have working

Oh… Yeah, I also edited the service file to delete the line they added that does the service start/restart based on the gui. Essentially it “works” if you remove all the Gl.iNet stuff