thanks for the reply…took me a while to grab it and clean it.
here is the whole ACL: (having issues posting this)
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
“groups”: {
// “group:admin”: [“user1”],
“group:network”: [“user2”, “user1”],
// “group:members”: [“user3”],
},
// Define the tags which can be applied to devices and by which users.
“tagOwners”: {
// all Tailscale admins can manage which devices are tagged tag:network
“tag:network”: [“group:network”],
},
“autoApprovers”: {
“routes”: {
// subnets included in 10.0.0.0/16 advertised by devices tagged
// tag:network or users who are Tailscale admins will be automatically approved
“192.168.XXX.0/24”: [“tag:network”],
// subnets included in XXX.XXX.XXX.0/24 advertised by devices tagged
// tag:network or users who are Tailscale admins will be automatically approved
“192.168.XX.0/24”: [“tag:network”],
},
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
“acls”: [
// all employees can access their own devices
{
“action”: “accept”,
“src”: [“autogroup:members”],
“dst”: [“autogroup:self:"],
},
// all employees can access devices tagged tag:network
{
“action”: “accept”,
“src”: [“user1”],
“dst”: [
“192.168.XXX.XXX:XXXX”,
"192.168.XX.XX:”,
“192.168.XX.0/24:",
"192.168.XX.XX:”,
“192.168.XXX.XXX:",
],
},
{
“action”: “accept”,
“src”: [“group:network”],
“dst”: ["tag:network:”],
},
// users in group:dev, and devices in subnets 192.168.XXX.0/24 and
// 192.168.xx.0/24 can access firewall device 192.168.XXX.XXX:XXXX and
// file server xxx.xxx.xx.xx
{
“action”: “accept”,
“src”: [“group:network”, “192.168.XXX.0/24”, “192.168.XXX.0/24”],
“dst”: [“192.168.XXX.XXX:XXXX”, “192.168.XX.XX:", "192.168.XXX.XX:”],
},
],
// Readable shorthands for devices and networks.
“hosts”: {
“firewall”: “192.168.XXX.XXX”,
“network”: “192.168.XXX.XXX/24”,
},
// Define users and devices that can use Tailscale SSH.
“ssh”: [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
“action”: “check”,
“src”: [“autogroup:members”],
“dst”: [“autogroup:self”],
“users”: [“autogroup:nonroot”, “root”],
},
],
// Test access rules every time they’re saved.
// “tests”: [
// {
// “src”: “alice”,
// “accept”: [“tag:example”],
// “deny”: [“xxx.xxx.xxx.xxx:443”],
// },
// ],
}