Help Setting up Tailscale

Hello! I hope you're doing well

I installed Tailscale on my Netgear RBR50V1 and enabled "LAN access". Everything works great for me. I also have AdGuard Home (AGH) installed on the router with Cloudflare DoH, so I wanted my ads to be blocked even when I'm using Tailscale outside my home network for me.

*I have installed using the AGH Guide from OpenWrt Wiki page and so I also have the "firewall4 rule" which is

Add a new rule to Network → Firewall → Port Forwards , setting “Protocol” as “UDP”, “Source zone” as “lan”, “External port” to 53, “Destination zone” as “unspecified” and “Internal IP Address” your router address (usually 192.168.1.1) and “Internal port” still 53. Saving and applying the rule all UDP/53 traffic will redirected to your router.

To do the adblocking outside the network, I added the OpenWrt router’s Tailscale IP address (shown in the Machines section) as a Global Nameserver in Tailscale DNS settings. That worked my DNS queries go through AdGuard Home and ads are blocked even I’m on mobile data.

The issue is that I invited a friend to my Tailscale network via "share" just that openwrt machine so his ads gets blocked as well. I configured the same DNS settings for him, and DNS filtering works. However, even though he cannot access my LAN devices, he can still open the OpenWrt LuCI interface using the router’s Tailscale IP address.

What I want is:

• His DNS requests should go through my AdGuard Home.
• He should not be able to access LuCI or anything else on the router.
• He should not have access to my LAN devices.

Yes, it is possible using firewall rules, but you need to provide more information.

To begin with, is the tailscale interface assigned to a dedicated firewall zone?

Yes,

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

The easiest way would be to create permissive/restrictive rules (order matters).

config rule
	    option name 'Allow-Guest-DNS'
        option src 'tailscale'
        list src_ip '100.x.y.z' # <-- your friend tailscale IP address
        option dest_port '53'
        option target 'ACCEPT'

config rule
	    option name 'Deny-Guest-Router'
        option src 'tailscale'
        list src_ip '100.x.y.z'
	    list proto 'all'
        option target 'REJECT'

config rule
	    option name 'Deny-Guest-to-LAN'
        option src 'tailscale'
        option dest 'lan'
        list src_ip '100.x.y.z'
	    list proto 'all'
        option target 'REJECT'

I'll try this and let you know

This worked he can't access luci or anything else but now the problem is that it says dns probe started and websites fails to load?

Does your friend use your router only as a DNS server or also as an exit node?

DNS Server Only no Exit Node, btw is it possible if I don't have AGH and an using adblock-lean as adblocker and let that be used instead?

It doesn't matter what adblocker you use as long as the resolving service listens on port 53.

Yeah it does, but when I click on any link it doesn't load up.

Oh yeah it doesn't work for me as well now it was working good for both of us when I had AGH

I think I found the issue but how do I fix this

[Mar 9, 2026, 3:01:01 AM GMT+5] daemon.warn: dnsmasq[1]: ignoring query from non-local network 100.x.x.x (logged only once)

uci set dhcp.@dnsmasq[0].localservice='0'
uci commit dhcp
/etc/init.d/dnsmasq restart

I tried this it still didn't work and it also messed up my internet overall it showed connected but no internet at all I had to reset to get internet to work