diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index cbd4f5196d5eb..73c41f326a1e1 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -712,14 +712,26 @@ func (b *LocalBackend) linkChange(delta *netmon.ChangeDelta) {
 	if delta.Major && shouldAutoExitNode() {
 		b.refreshAutoExitNode = true
 	}
-	// If the PAC-ness of the network changed, reconfig wireguard+route to
-	// add/remove subnets.
+
+	var needReconfig bool
+	// If the network changed and we're using an exit node and allowing LAN access, we may need to reconfigure.
+	if delta.Major && b.pm.CurrentPrefs().ExitNodeID() != "" && b.pm.CurrentPrefs().ExitNodeAllowLANAccess() {
+		b.logf("linkChange: in state %v; updating LAN routes", b.state)
+		needReconfig = true
+	}
+	// If the PAC-ness of the network changed, reconfig wireguard+route to add/remove subnets.
 	if hadPAC != ifst.HasPAC() {
 		b.logf("linkChange: in state %v; PAC changed from %v->%v", b.state, hadPAC, ifst.HasPAC())
+		needReconfig = true
+	}
+	if needReconfig {
 		switch b.state {
 		case ipn.NoState, ipn.Stopped:
 			// Do nothing.
 		default:
+			// TODO(raggi,tailscale/corp#22574): authReconfig should be refactored such that we can call the
+			// necessary operations here and avoid the need for asynchronous behavior that is racy and hard
+			// to test here, and do less extra work in these conditions.
 			go b.authReconfig()
 		}
 	}