Create ACL to only allow Synology to communicate to one device

lewisspring · October 17, 2021, 8:45pm

Hi there!
I’d like to set up an ACL that only allows one computer (a Pi) to communicate with my Synology NAS over the Tailscale VPN.

I think if I lay it out this way, it’s easier to understand:

Raspberry Pi can be communicated to by all devices
Synology can only be communicated to by the Raspberry Pi

Is this possible? Could someone explain how to set this up if so?

Thank you!

lewisspring · October 17, 2021, 9:38pm

I’ve come up with this.

{
  "acls": [
    // all users can access each other and pi
    {
      "action": "accept",
      "users": [device1","device2"],
      "ports": ["device1:*","device2:*","pi:*"],
    },
    // synology and pi can acess each other
    {
      "action": "accept",
      "users": ["pi","synology"],
      "ports": ["pi:*","synology:*"],
    },
  ],
  // Readable shorthands for devices and networks.
  "hosts": {
	"device1": "x",
	"device2": "x",
	"pi": "x", // placeholder
	"synology": "x",
  }
}

The current issue is that in the Rule Preview, it only hows the first rule (“All users can acess each other and pi”)
How can I get the second rule to be acknowleged?

Topic		Replies	Views
ACL's to declare accept connection for only 2 machines ACL (Access Control Lists)	6	1627	October 28, 2020
How to isolate a device to only allow remote management? ACL (Access Control Lists)	0	887	July 28, 2022
Access Control Help ACL (Access Control Lists)	1	558	September 13, 2022
Help filtering routes access Linux	1	762	July 20, 2021
Limit sharing to Synology Photos app ACL (Access Control Lists)	4	1132	February 13, 2023

Create ACL to only allow Synology to communicate to one device

Related topics