diff --git a/common/network/tailscale.nix b/common/network/tailscale.nix
index fbb6127..bbd3baa 100644
--- a/common/network/tailscale.nix
+++ b/common/network/tailscale.nix
@@ -10,6 +10,10 @@ in
 
   config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
 
+  # Trust Tailscale interface - access control is handled by Tailscale ACLs.
+  # Required because nftables (used by Incus) breaks Tailscale's automatic iptables rules.
+  config.networking.firewall.trustedInterfaces = mkIf cfg.enable [ "tailscale0" ];
+
   # MagicDNS
   config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
   config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];