Unable to establish TCP connection to subnet devices, ping works

Following this guide but skipping step 4 (see my rules below) Subnet routers and traffic relay nodes · Tailscale

I have two networks: and
The network contains some non tailscale devices.
There are various linux machines on all connected to tailscale with --accept–routes.
The prefix is being advertised by one of the linux machines acting as the tailscale subnet router (it has an IP on the network).
All linux machines on can “ping” and “tailscale ping” machines on

The problem is I cannot establish any TCP connections:

curl: (7) Failed to connect to port 80: No route to host

Here are some detailed outputs for your info.

ip route show table 52 dev tailscale0
tailscale ping
pong from el8 (100.x.x.x) via <Internet>:39234 in 609ms
	"acls": [
			"action": "accept",
			"users":  ["*"],
			"ports":  ["*:22", "*:80"]
	"ssh": [
			"action": "check",
			"src":    ["autogroup:members"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"]

The solution was to apply masquerade on the right zone (and the running profile too).

The following wasn’t enough

firewall-cmd --permanent --add-masquerade

I had to remove masquerade from the external zone (previous command actioned this) and then add masquerade without permanent flag to ensure current profile had masquerade too.

firewall-cmd --add-masquerade --zone=public
firewall-cmd --permanent --add-masquerade --zone=public