If it's still not working with tailscale zone added, you can try further enable masq for that tailscale zone.
Enabling masq for tailscale has the most connectivity if the other end doesn't enable "accept route" or not enabled on tailscale console(Tailscale).