How to configure firewall if use Tailscale as subnet router

Hello everyone!

I have a subnet 192.168.8.0/24 and the OpenWRT used 192.168.8.1. Also, I used 192.168.8.228 as Tailscale subnet router with tailscale up --advertise-routes=<CIDR> --snat-subnet-routes=false --accept-routes, then connected to another subnet 192.168.5.0/24 (subnet router is 192.168.5.228). Check Site-to-site networking · Tailscale Docs

I also configured some zone forwarding on OpenWRT and static routes forwarding, also configured NAT rules but I hope to disable it later. But I didn't enable IP masquerading because I hope to get the origin real IP address.

Now, 192.168.5.2 can access all servers in 192.168.8.0/24 (include Web services), and 192.168.8.0/24 can ping 192.168.5.0/24 properly. But the question is, I use 192.168.8.2 to connect a web server 192.168.5.168, the connection will be reset. I tracked every router traffic by tcpdump, I found the traffic on 192.168.5.228 and 192.168.8.228 are normal, the TCP SYN arrived 192.168.5.168 and replied SYN-ACK via subnet router, but 192.168.8.2 didn't receive it.

How should I do? Any ideas about how to debug on OpenWRT or track the traffic?

                                    Internet
                                       |
                ------------------------------------------------
                |                                              |
          192.168.5.1                                     192.168.8.1
       (Gateway)                                  (OpenWRT)
                |                                              |
         ---------------                                  ---------------
         |             |                                  |             |
192.168.5.228     192.168.5.168                    192.168.8.228     192.168.8.2
(Tailscale       (Web Server)                      (Tailscale       (PC)
 subnet router)                                         subnet router)