diff --git a/Dockerfile b/Dockerfile
index 118f35b..d96090c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -157,6 +157,25 @@ RUN mkdir -p /out/usrlocalbin && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscale && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscaled
 
+# Entrypoint wrapper: enable IP forwarding inside the container's network
+# namespace, then exec tailscaled. tailscaled does NOT reliably enable IPv6
+# forwarding itself in a container netns ("IPv6 forwarding is disabled" warning),
+# which silently breaks advertised IPv6 subnet routes. The sysctls ARE writable
+# from inside a RouterOS container, so we set both here. Written in the builder
+# stage so it ships in the same single /usr/local/bin COPY layer (preserves the
+# overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
+RUN printf '%s\n' \
+      '#!/bin/sh' \
+      '# Enable IPv4/IPv6 forwarding (best-effort; sysctls are writable inside' \
+      '# a RouterOS container netns). Required for advertised subnet routes and' \
+      '# exit-node functionality.' \
+      'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
+      '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \
+      'done' \
+      'exec /usr/local/bin/tailscaled "$@"' \
+      > /out/usrlocalbin/entrypoint.sh && \
+    chmod +x /out/usrlocalbin/entrypoint.sh
+
 # =============================================================================
 # Stage 2: Custom minimal busybox
 # =============================================================================
@@ -274,7 +293,9 @@ ENV PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 # -----------------------------------------------------------------------------
 VOLUME ["/var/lib/tailscale"]
 
-ENTRYPOINT ["/usr/local/bin/tailscaled"]
+# entrypoint.sh enables IP forwarding (incl. IPv6) in the container netns, then
+# exec's tailscaled with the CMD flags below as its arguments.
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 
 # Default flags:
 #   --no-logs-no-support  disables logtail uploads (logtail binary code is
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
index 7755d40..07d4be4 100644
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@@ -70,8 +70,21 @@ in a future release stays omitted until deliberately added to the Dockerfile.
   saves a real ~195 kB of flash (424 kB → 229 kB), not just transfer size.
 
 The final image is built `FROM scratch` — there is no base distro layer.
-It contains only the busybox binary + applet symlinks, the CA bundle, and
-the Tailscale binary.
+It contains only the busybox binary + applet symlinks, the CA bundle, the
+Tailscale binary, and a tiny `entrypoint.sh`.
+
+### Entrypoint: IP forwarding
+
+`ENTRYPOINT` is a small `entrypoint.sh` that enables IPv4 and IPv6 forwarding
+(`net.ipv4.ip_forward`, `net.ipv6.conf.all.forwarding`) in the container's
+network namespace, then `exec`s `tailscaled` (so the daemon stays PID 1). This
+is necessary because `tailscaled` does **not** reliably enable IPv6 forwarding
+itself inside a container netns — it logs "IPv6 forwarding is disabled" and
+advertised IPv6 subnet routes silently fail. The sysctls are writable from
+inside a RouterOS container, so the entrypoint sets them directly; no
+host-side or `/container` configuration is required. The script is created in
+the builder stage so it ships in the same single `/usr/local/bin` `COPY` layer
+(preserving the [single-copy property](#avoiding-overlayfs-layer-duplication)).
 
 ### Avoiding overlayfs layer duplication
 
diff --git a/docs/USAGE.md b/docs/USAGE.md
index e8e9a27..74640e3 100644
--- a/docs/USAGE.md
+++ b/docs/USAGE.md
@@ -95,7 +95,8 @@ The daemon is now running but **not yet authenticated**.
 
 ### 5. Authenticate
 
-> This image runs `tailscaled` directly and does **not** bundle Tailscale's
+> This image runs `tailscaled` via a tiny entrypoint (which enables IP
+forwarding, then `exec`s the daemon) and does **not** bundle Tailscale's
 `containerboot` wrapper, so the `TS_AUTHKEY` environment variable is **not**
 read automatically. You authenticate with `tailscale up --authkey=...` after the
 container starts.
@@ -119,6 +120,12 @@ The node now appears in your Tailscale admin console. Approve the advertised
 routes / exit node there. Because the auth state is written to the persisted
 `tailscaled.state`, you only do this once — it survives reboots and updates.
 
+> **IP forwarding** (IPv4 and IPv6) is enabled automatically by the container's
+> entrypoint, so advertised subnet routes and exit-node traffic work without any
+> extra `sysctl`/`/container` configuration. (IPv6 forwarding in particular is
+> not reliably enabled by `tailscaled` itself inside a container network
+> namespace, so the entrypoint sets it explicitly.)
+
 ### 6. Enable automatic updates
 
 First, edit the `CONFIG` block at the top of `routeros/update-tailscale.rsc` if