diff --git a/net/netns/netns_linux.go b/net/netns/netns_linux.go
index 1609320c4..5a607066b 100644
--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@@ -26,7 +26,7 @@ import (
 //
 // Keep this in sync with tailscaleBypassMark in
 // wgengine/router/router_linux.go.
-const tailscaleBypassMark = 0x20000
+const tailscaleBypassMark = 0x80000
 
 // ipRuleOnce is the sync.Once & cached value for ipRuleAvailable.
 var ipRuleOnce struct {
diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 2a6154fd7..f440faffe 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -37,13 +37,13 @@ import (
 const (
 	// Packet is from Tailscale and to a subnet route destination, so
 	// is allowed to be routed through this machine.
-	tailscaleSubnetRouteMark = "0x10000"
+	tailscaleSubnetRouteMark = "0x40000"
 	// Packet was originated by tailscaled itself, and must not be
 	// routed over the Tailscale network.
 	//
 	// Keep this in sync with tailscaleBypassMark in
 	// net/netns/netns_linux.go.
-	tailscaleBypassMark = "0x20000"
+	tailscaleBypassMark = "0x80000"
 )
 
 // netfilterRunner abstracts helpers to run netfilter commands. It