First I’d like to verify that I understand your situation correctly. You have a Linux server that is hosting containers. These containers have their own IP addresses in a private IP address space and you can’t reach them anymore when using some other device as an exit node.
When using the exit node feature, all destinations (including local networks) are sent to the exit node. This is a safety measure that we implemented to prevent accidentally accessing local networks when using an exit node. Depending on why you enabled the exit node feature, accessing the local network may be beneficial (e.g. at home) or may be unwanted (e.g. on a wifi network you don’t trust), so we chose the more conservative option. It’s possible that this will become configurable in future.
As another safety measure, we block access to private networks (RFC1918 ranges including 192.168.0.0/16, and a few others) on the exit node unless those are also advertised as subnet routes.
For now as a workaround, on a Linux device you can set a packet mark in iptables to avoid the Tailscale routing table for the IP range you would like to access, which I think should solve your problem. Assuming your containers are on
10.0.0.0/24 then the command would be:
iptables -t mangle -I OUTPUT 1 -d 10.0.0.0/24 -j MARK --set-mark 0x80000
Generally speaking, you should be able to leave that iptables rule in effect any time, regardless of if you’re using an exit node or not, or even if tailscale is not running (it will only have side effects if other firewall or routing rules check for that mark, which is usually not the case).