ACL Help Site to Site VPN

I’m using a pfsense tailscale package to pfsense tailscale package site to site VPN. I want everything to be able to talk to eachother through the VPN except my Plex server to not go through the VPN.

From what i understand with how tailscale is routed in pfsense and freebsd this has to be controlled through ACL on tailscale and bot pfsense.

My question is how would i accept all traffic except block one port from one PC?