Unable to establish TCP connection to subnet devices, ping works

Following this guide but skipping step 4 (see my rules below) Subnet routers and traffic relay nodes · Tailscale

I have two networks: 10.0.0.0/24 and 10.0.1.0/24.
The 10.0.0.0/24 network contains some non tailscale devices.
There are various linux machines on 10.0.1.0/24 all connected to tailscale with --accept–routes.
The prefix 10.0.0.0/24 is being advertised by one of the linux machines acting as the tailscale subnet router (it has an IP on the 10.0.0.0/24 network).
All linux machines on 10.0.1.0/24 can “ping” and “tailscale ping” machines on 10.0.0.0/24

The problem is I cannot establish any TCP connections:

curl 10.0.0.1
curl: (7) Failed to connect to 10.0.0.1 port 80: No route to host

Here are some detailed outputs for your info.

ip route show table 52
10.0.0.0/24 dev tailscale0
...
tailscale ping 10.0.0.1
pong from el8 (100.x.x.x) via <Internet>:39234 in 609ms
{
	"acls": [
		{
			"action": "accept",
			"users":  ["*"],
			"ports":  ["*:22", "*:80"]
		}
	],
	"ssh": [
		{
			"action": "check",
			"src":    ["autogroup:members"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"]
		}
	]
}

The solution was to apply masquerade on the right zone (and the running profile too).

The following wasn’t enough

firewall-cmd --permanent --add-masquerade

I had to remove masquerade from the external zone (previous command actioned this) and then add masquerade without permanent flag to ensure current profile had masquerade too.

firewall-cmd --add-masquerade --zone=public
firewall-cmd --permanent --add-masquerade --zone=public