I see... your node is bouncing back and forth between easy NAT and hard NAT. And Tailscale only advertises your locally configured listening $PORT environment variable (blended with your STUN-discovered IP) as a sort of last ditch desperate move when you're in hard NAT mode. When you're found to be in easy NAT mode, that endpoint (type EndpointSTUN4LocalPort) is no longer announced.

I suppose we could send that more aggressively. Perhaps:

• if a port is set at all, which is rare.
• if we've ever seen hard NAT for this node

But does this break Tailscale connectivity? You didn't mention if this is just something you noticed, or whether it's a problem.

Out of curiosity, what's your upstream router? A "SoftAtHome" it looks like? Which ISP is that?

Thanks for analyzing this! It's shitty Orange Funbox 6 router (Poland). I'm sure hardware is by SoftAtHome.

I've reported UPnP issue with it here: #14344

Unfortunately I can't easily change it because it's somehow integrated to Orange infrastructure. Certain router settings are available via usual admin interface (using router LAN IP). But certain settings can be changed from ISP web interface.
WAN port is connected to Fiber converter and runs PPPoE. In any case I've very limited access to settings. I know that UPnP mostly works, but tailscale fails sometimes. syncthing works stable.

Also it looks like port forwarding works (or mostly works). Could tailscale be confused by periodic downtime? I'm getting normal globally reachable IPv4 dynamic address. I think they need to break PPPoE session for some time to change it.

Another thing that I've access to is "DMZ" setting. I think that I can give up on this and put another router just after this thing. But I've not checked that it works and not sure whether UPnP will work with this. I think new should also be DHCP server and default gateway because otherwise I'll get #5502

That node is 'pihole'. And my tailnet is configured to use it as DNS override. So this issue breaks direct connectivity to phone over LTE. DERP mostly works but it feels much more laggy. I've even tried to host own DERP with much smaller latency than your Poland DERP servers. But it's also' tricky due to DNS issues. Periodically whole tailnet is stuck somehow and logs are full of DNS query errors to access control servers. I've found that it's much better if DERP server has both IP and domain name in ACL and if DERP server is configured so that /bootstrap-dns provides DNS info for control servers. But for some reason it's still happens sometimes.

PS. If you're talking about PORT= in /etc/default/tailscale I think it's always set and passed as tailscaled --port and your idea is to announce only if it's not default.