diff --git a/services/mam-api/src/routes/cluster.js b/services/mam-api/src/routes/cluster.js
index 8c5f638..58e8cca 100644
--- a/services/mam-api/src/routes/cluster.js
+++ b/services/mam-api/src/routes/cluster.js
@@ -5,15 +5,16 @@ import { requireAuth } from '../middleware/auth.js';
 const router = express.Router();
 router.use(requireAuth);
 
-// If the agent reported a Docker-bridge IP (172.16/12) but the request
-// itself came from a real LAN address, prefer the request's source — the
-// agent likely runs in bridge mode without NODE_IP set.
+// If the agent reported Docker's default bridge IP (172.17.x) but the request
+// itself came from a real LAN address, prefer the request source IP instead.
+// We only check 172.17.x — the default docker0 bridge — not the full RFC1918
+// 172.16/12 block, since real LANs (e.g. 172.18.91.x) fall in that range.
 function pickIp(reportedIp, reqIp) {
   const clean = (s) => (s || '').replace(/^::ffff:/, '');
-  const isBridge = (ip) => /^172\.(1[6-9]|2\d|3[01])\./.test(ip || '');
+  const isDockerBridge = (ip) => /^172\.17\./.test(ip || '');
   const r = clean(reqIp);
   if (!reportedIp) return r || null;
-  if (isBridge(reportedIp) && r && !isBridge(r)) return r;
+  if (isDockerBridge(reportedIp) && r && !isDockerBridge(r)) return r;
   return reportedIp;
 }