Tailscale vs firewalls and OS performance

I have installed Tailscale in ubuntu 22.04 and I only get connections with relay or no connection at all, I have Sophos XG firewall but I don’s see workaround in the documentation.

The documentation says
" For other firewalls, if your connections are using DERP relays by default, try [opening a port to establish a direct connection])."
But in the link provided What firewall ports should I open to use Tailscale? · Tailscale only connectivity from the tailscale host are mentioned

  • Let your internal devices initiate TCP connections to *:443
  • Let your internal devices initiate UDP from :41641 to *:*
  • Let your internal devices initiate UDP from :3478 to *:*
    This connections are already allowed in my firewall T What is the documentation referring to? in my firewall from host to any everything is allowed. Or should I open a port from internet to the host?

The only blocked connections I see are the ones going to my firewall

I am using routes in the ubuntu server host, and I have enable ip forwarding for ipv4

On the other hand,
do I get better performance if I install it on linux vs windows server core due to wireguard being part of the kernel?
Is there any guide on how to add SElinux to the equation without breaking anything?
Should I use rocky linux or ubuntu?

If the Sophos Firewall has NAT-PMP, PCP, or UPnP port mapping protocols available, enabling them is likely to help by making it possible to know the port number to use.

Sophos doesn’t support that.

Will it work better if I open some ports to internet? is this documented? it’s safe if it’s properly secure, I mean I know how to secure it but I don’t know if tailscale is designed to work with ports open