diff --git a/config-example.yaml b/config-example.yaml
index dbb08202..4cf52346 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -48,14 +48,29 @@ noise:
   private_key_path: /var/lib/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
-# Each prefix consists of either an IPv4 or IPv6 address,
-# and the associated prefix length, delimited by a slash.
-# It must be within IP ranges supported by the Tailscale
-# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
-# See below:
-# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
-# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
-# Any other range is NOT supported, and it will cause unexpected issues.
+# Each prefix consists of either an IPv4 or IPv6 address, and the associated prefix
+# length, delimited by a slash.
+#
+# -------------------------------------------------------------------------------
+# WARNING: OVERRIDING `prefixes` IS NOT SUPPORTED (except for taking a subset).
+#
+# The Tailscale client contains explicit and implicit assumptions about the default
+# CGNAT/ULA ranges. Using a non-standard range may work "for now" but can break
+# immediately (depending on features you use) or in a future Tailscale release.
+# When it breaks, it often manifests as hard-to-debug connectivity issues.
+#
+# Supported ranges:
+# - IPv4: 100.64.0.0/10 (CGNAT)
+# - IPv6: fd7a:115c:a1e0::/48 (ULA)
+#
+# If you need fewer IPs, use a *subset* of the defaults (e.g. 100.64.0.0/24), but
+# do not use ranges outside the defaults. Issues that reproduce only with
+# non-standard ranges may be labeled as "wontfix" and closed.
+#
+# References in the Tailscale client:
+# - IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+# - IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# -------------------------------------------------------------------------------
 prefixes:
   v4: 100.64.0.0/10
   v6: fd7a:115c:a1e0::/48