diff --git a/containers/mikrotik-tailscale/start-tailscale.sh b/containers/mikrotik-tailscale/start-tailscale.sh
index 30bc9e9..81ef3ce 100644
--- a/containers/mikrotik-tailscale/start-tailscale.sh
+++ b/containers/mikrotik-tailscale/start-tailscale.sh
@@ -7,22 +7,28 @@ echo "Setting Tailscale ARGS: $set"
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
-# Try to enable NAT for Tailscale (may fail on MikroTik due to limited kernel modules)
-# This is optional for basic Tailscale functionality
-# if iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE 2>/dev/null; then
-#     echo "NAT masquerading enabled"
-# else
-#     echo "Warning: Could not enable NAT masquerading (kernel modules not available)"
-#     echo "Tailscale will still work for basic connectivity"
-# fi
-
-tailscale update --yes
+# Enable NAT masquerading if requested (nat=true|yes|1)
+case "${nat:-}" in
+  true|yes|1)
+    if iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE 2>/dev/null; then
+      echo "NAT masquerading enabled"
+    else
+      echo "Warning: Could not enable NAT masquerading (kernel modules or iptables not available)"
+      echo "Tailscale will still work for basic connectivity"
+    fi
+    ;;
+  *)
+    # nat not set to true/yes/1 — skip NAT setup
+    ;;
+esac
 
 # Initialize and start Tailscale
 tailscaled > /dev/null 2>&1 &
 sleep 5
 tailscale up ${up}
-tailscale set ${set}
+if [ -n "${set}" ]; then
+  tailscale set ${set}
+fi
 
 while true; do
   tailscale netcheck