SNAT on subnet routes breaks firewall return traffic

When subnet routers have SNAT enabled (default behavior), Tailscale NATs traffic so the firewall sees all connections originating from the subnet router's IP instead of the original Tailscale device IP. This breaks return traffic in environments with strict firewall rules between zones.

Disable SNAT on subnet routers using 'tailscale up --advertise-routes=<subnet> --snat-subnet-routes=false' on each subnet router device. Verify firewall sees correct source IPs from Tailscale devices rather than the router IP.