ACL's to declare accept connection for only 2 machines

Hello.
I have read the acl examples here https://tailscale.com/kb/1018/acls#hosts
but I don’t understand how to easy declare that only host1 and host2 can talk each other…

I have a solo account where I am the only user with 10 devices, but I need that only two Proxmox servers will be isolated from other hosts but communicate only each others.

Is this possible?

Now I’m doing this using firewall rules in each proxmox host allowing connections from boths tailscale machines on port 22 , and allowing desktop computer to connect on 8006 port.

HI openaspace and welcome!

I’m not sure I understand your question: you have 10 devices on a network but you want to limit two of them to communicate only with each other?

Can you post a list of devices, Tailscale version number, and the ACL configuration policy file here?
Thanks!

thank you!

Yes I want that only the two proxmox host can see each other, but the rest of the devices will not be able to communicate with the 2 hosts and viceversa

Can you post a list of devices, Tailscale version number, and the ACL configuration policy file here so we can help?

Hi openaspace,

This sounds like a job for ACL tags: https://tailscale.com/kb/1068/acl-tags

One thing people sometimes miss about ACL tags is that if you assign them to a device, then that device loses the automatic permissions granted by being created by that user. That is, ACL tags replace the permissions, rather than augmenting them. This lets you create “zero trust” style restrictions between knows, also known as RBAC or ABAC.

Hi. After some tests I don’t have any rules now.
I’m allowing all

Does this mean you’ve solved your problem, or that you’re experiencing a problem even though your Tailscale ACL rules are set to allow all?