Access to other private networks upstream to exit-node

Tailscale version 1.22.1

Perhaps I am misunderstanding what the documentation references as ‘exit nodes use default routes under the hood’, but I have a setup whereby I’d like to use a linux host as an exit-node. Upstream from it (towards the internet) its gateway knows about another network. However, unless I explicitly call out that network in tailscale as a shared network.

Tailscale exit-node:
exit-node next hop:
network known to the next hop (this is a layer 3 switch with other networks homed on it):

From my perspective, if I were to log into the tailscale host at as an exit-node I should be able to reach as it’s upstream from that host. However, I am only able to reach that network if I explicitly add a --advertise-routes= flag to the tailscale up command on the exit-node. Can anyone help with what I’m missing here? Is this a misunderstanding on my part of how default routes work or is there something going on under the hood in tailscale to block access to non-explicitly-defined private networks or the like?

Nodes on the tailnet are allowed to access the Internet via the exit node, but not the LAN of the exit node by default. Adding the --advertise-routes= means the exit node is also simultaneously operating as a subnet router, exporting its LAN address.

Right, that’s what I’ve noticed, but how is this accomplished in practice? In my case the network I’m referencing isn’t on the local network to the exit node, so is tailscale filtering all private networks?

Yes. autogroup:internet is used to allow internet access. It is a filter which excludes the non-routeable CIDR blocks.