Can ping subnet machines but not access their services (e.g. port 80) from tailnet

I have a private network 10.0.1.0/24, it contains some hosts with port 80 services.
On the 10.0.1.0/24 I also have a tailscale host which is also a subnet router - has ipv4 forwarding.
Other devices on the tailnet can ping devices on 10.0.1.0/24 but cannot access said port 80 services.

My ACL:

// Example/default ACLs for unrestricted connections.
{
	// Declare static groups of users beyond those in the identity service.
	"groups": {
		"group:example": ["user1@example.com", "user2@example.com"],
	},

	// Declare convenient hostname aliases to use in place of IP addresses.
	"hosts": {
		"example-host-1": "100.100.100.100",
	},

	// Access control lists.
	"acls": [
		{
			"action": "accept",
			"users":  ["*"],
			"ports":  ["*:22", "*:3389", "*:80", "*:443"],
		},
	],
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:members"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],
}