X11 and Tailscale, firewall misbehaviour

Hi everyone,
we have an X11 installed in this environment:

  • LAN, with a single device exposing a SNMP service (UDP 161)
  • WAN, connected to a private network and a 4G, WAN is preferred in failover

The WAN side is enabled for ICMP/WebUI: in traffic rules, they are set

  • Allow ping (ICMP to wan/device address)
  • Enable WebUI WAN (TCP 80/443 to wan/device address)
    We also have NATted with Port forward the WAN IP / UDP 161 to the LAN internal device.

All was working fine (on WAN side, ping and webUI working, and also the SNMP NAT); a problem came up as soon as we installed the Tailscale VPN and enabled it.

Now, when the Tailscale connects, the WAN side goes in a complete “block” state (no ping, no web access, no port UDP 161 nat); the interface is ready and working (internet reachable through the wan interface); the device continue to be reachable on ping/webUI only on the LAN address/interface (even via Tailscale network).

If we manually restart the “/etc/init.d/network” service through SSH on the device, the WAN side seems to restore the ping/webUI/NAT services, but the router itself is not answering anymore to its LAN ip address through the Tailscale network (and on the Tailscale console is reported as “connected”).
We have also tried to switch to 4G as primary gateway, but no difference at all.

We have double checked all the Port forwards/Traffic rules, but there is no clues anywhere on why this happens.