Skip to main content ACL rules to accept subnets : r/Tailscale
r/Tailscale icon
Go to Tailscale

ACL rules to accept subnets

Alright, so I created some ACL rules to separate traffics from my hosts, and there is a specific host that I want to access a subnet. Let me write them down here.

host1 is the client that needs to access the subnet

host-subnet is the client that is advertising said subnet.

Right now the only ACL rule that works for host1 to access the subnet is: 

{ "Action": "accept", 
      "Users": ["host1"], 
      "Ports": ["*:*"]
    
    },

I'd like to do only allow host1 to access the host with the subnet instead, which per my understanding I was supposed to achieve using this: 

{ "Action": "accept", 
      "Users": ["host1"], 
      "Ports": ["host-subnet:*"]
    
    },

I can ping from host1 to host-subnet using their Tailscale IP addresses, but I'd like to be able to access the subnet being advertised only with that rule. Is that not possible?

Thank you.

EDIT: I got this work simply creating a rule to the subnet itself, I don't even need to allow host1 to communicate with the host-subnet, I can just allow the subnet itself: 

{ "Action": "accept", 
      "Users": ["host1"], 
      "Ports": ["192.168.0.0/24:*"]
    
    },
Slash review times, eliminate bugs, and get valuable insights into your projects and code.
  • Slash review times, eliminate bugs, and get valuable insights into your projects and code.
  • Slash review times, eliminate bugs, and get valuable insights into your projects and code.
  • Slash review times, eliminate bugs, and get valuable insights into your projects and code.
    • korbit.ai
    Learn More
    Sort by:
    Best
    Open comment sort options

    Has anyone been able to add such a rule without explicitly tagging the advertised subnet to be accessed?

    For me it’s still the same.

    More replies     More replies