Guest network can access tailscale subnets

I have tailscale setup on a Slate Plus and AX. On both devices, the guest network can access the tailscale subnets via the advertised routes. I had created a traffic rule in firewall to block this but this doesn’t seem to be working. Can anyone help?

For reference, my LAN is 10.192.x.y and the advertised routes are 10.190.x.y- the 10.190 network shouldn’t be able to be accessed from the guest network.