Hi everyone,
I’m having a reproducible issue with my Beryl AX (GL-MT3000) when using Tailscale exit-node mode through my Flint (GL-MT6000). Hoping someone who has solved this can help.
Hardware / FirmwarE
-
Flint MT6000: 4.8.3
-
Beryl AX MT3000: 4.8.1
-
Both routers online and accessible
Working Conditions
-
Flint registers on Tailscale correctly
-
Flint successfully advertises:
-
Subnet routes
-
Exit node
-
-
Other devices (iPhone, iPad, laptop running Tailscale locally) can use Flint as exit node with no issues
-
Beryl can connect to upstream WAN/WiFi normally
-
Beryl can sign into Tailscale normally
-
DNS and routing work until exit-node is selected
THE PROBLEM
The moment I toggle:
Use Exit Node → (MT6000)
Internet drops instantly for all LAN/WiFi clients behind the MT3000
DNS stops resolving
No ICMP, no routing
Tailscale remains “connected,” but no outbound traffic
Turning exit node off immediately restores internet.
Tailscale status on the MT3000 also shows:
DNS Unavailable – dns-forward-failing
This suggests DNS forwarding + NAT/MASQUERADE for tailscale0 is not being applied correctly on the MT3000.
What I suspect
-
A bug in 4.8.x firmware related to the new Tailscale firewall zone
-
Tailscale’s DNS/masq rules not persisting
-
Missing or overridden NAT rules
-
tailscale0 is not being masqueraded correctly on the MT3000
-
Possibly a race condition on the Beryl’s dnsmasq when exit-node mode activates
What I’ve tried
-
Different upstream networks (EE, Glide)
-
Rebooting both routers
-
Re-authorizing routes in Tailscale admin panel
-
Resetting DNS settings
-
Checking subnets for overlap (none)
Issue is consistent and only happens on the MT3000.
Need help with:
-
Correct iptables/NFTABLES rules for exit-node traffic
-
Whether MT3000 should be downgraded (4.7.x?)
-
Whether there is a patch for 4.8.1 Tailscale routing
-
Anyone with a working MT3000 → MT6000 exit-node configuration
Support has GoodCloud access to both routers, but I’d love community insight on how you resolved this.
Thanks!