`--snat-subnet-routes=false` incorrectly disables SNAT for Exit Node traffic

[AlexVranas]

What is the issue?

When configuring a Linux node as both a Subnet Router and an Exit Node, setting the flag --snat-subnet-routes=false results in a likely loss of internet connectivity for clients using that node as an Exit Node.

The expectation is that this flag should disable masquerading (SNAT) only for specific advertised local subnets, while maintaining standard masquerading for Exit Node traffic (0.0.0.0/0 and ::/0). Currently, the flag appears to be applied globally to all advertised routes, including the default route used for Exit Node functionality. This causes egress traffic to leave the physical interface with the original Tailscale source IP rather than the Exit Node's IP, leading to probable upstream drops.

The current workaround is separate the role of subnet router and exit node between two nodes if the subnet router must have SNAT disabled.

Steps to reproduce

1. Set up a Linux machine as a subnet router and exit node.
2. Run tailscale set --snat-subnet-routes=false on the exit node.
3. Attempt to use the exit node from another device on the tailnet.

Monitoring tcpdump on the exit node during step 3 shows the source IP of exit node traffic changing from the IP of the exit node to the Tailscale IP.

Are there any recent changes that introduced the issue?

N/A

OS

Linux

OS version

Debian 10 (Kernel: 6.1.0-40-amd64)

Tailscale version

1.94.1

Other software

N/A

Bug report

BUG-78dc74aec42f056e952ef98bb9b8f54d83fefede6151c8bc51ba2ec85e6c19b7-20260213221913Z-8fbc39e56169ec4c

[KevinLiang10]

After an internal discussion in our team, we found that these two features are pulling in opposite directions. --snat-subnet-routes=false is meant for situations where you want the devices on your local subnet to see the real Tailscale source IPs of connecting clients, rather than the subnet router's own IP. That's a reasonable thing to want, but it does require your local network to be set up to route return traffic back through the subnet router. Exit nodes on the other hand have a hard requirement that all traffic gets masqueraded, because the public internet has no way to route responses back to a 100.x.x.x Tailscale address. So when you combine the two on the same node you end up in a situation where one feature is trying to remove the very masquerading that the other feature depends on to function.

Getting these to coexist properly in iptables/nftables would mean adding per-prefix exemption rules that get kept in sync with advertised routes as they change, which is a meaningful chunk of added complexity for what we think is a pretty uncommon setup. Given that, we'd rather steer users toward running these two roles on separate nodes for now, which sidesteps the conflict entirely.

BTW @sailorfrag has some thoughts on how we might fix this. When he is back from vacation I'll get the update here.