diff --git a/rust/connlib/tunnel/proptest-regressions/tests.txt b/rust/connlib/tunnel/proptest-regressions/tests.txt
index 83b961fdf..ed8a22275 100644
--- a/rust/connlib/tunnel/proptest-regressions/tests.txt
+++ b/rust/connlib/tunnel/proptest-regressions/tests.txt
@@ -84,3 +84,4 @@ cc 28c9fbe9572e61da2342347e3e5c159f3d4a62e90f3d85d6b7911fd015845656
 cc ec2f348067458f6a7d3f2fbd1ab708a53fc27708440a3fcb6ed8557adc6db7d3
 cc 2984b737f902f82c96ffec888a624afd7117078c125822b85de908c05f8e0b4c
 cc 51ad9fe7ef585d42bd1a6369da810a5adb6d756e71aa393362e542f1560d0273
+cc b926f32ea3b2a04753bddd37be4804fd38fe35646e08507e68565883bd9fe2ed
diff --git a/rust/connlib/tunnel/src/tests/sim_client.rs b/rust/connlib/tunnel/src/tests/sim_client.rs
index d4e46a254..f7521cbc2 100644
--- a/rust/connlib/tunnel/src/tests/sim_client.rs
+++ b/rust/connlib/tunnel/src/tests/sim_client.rs
@@ -566,10 +566,13 @@ impl RefClient {
     }
 
     pub(crate) fn cidr_resource_by_ip(&self, ip: IpAddr) -> Option<ResourceId> {
+        // Manually implement `longest_match` because we need to filter disabled resources _before_ we match.
         self.cidr_resources
-            .longest_match(ip)
+            .matches(ip)
+            .filter(|(_, r)| !self.disabled_resources.contains(&r.id))
+            .sorted_by(|(n1, _), (n2, _)| n1.netmask().cmp(&n2.netmask()).reverse()) // Highest netmask is most specific.
+            .next()
             .map(|(_, r)| r.id)
-            .filter(|id| !self.disabled_resources.contains(id))
     }
 
     pub(crate) fn resolved_ip4_for_non_resources(