Create ACL to only allow Synology to communicate to one device

Hi there!
I’d like to set up an ACL that only allows one computer (a Pi) to communicate with my Synology NAS over the Tailscale VPN.

I think if I lay it out this way, it’s easier to understand:

  • Raspberry Pi can be communicated to by all devices
  • Synology can only be communicated to by the Raspberry Pi

Is this possible? Could someone explain how to set this up if so?

Thank you!

I’ve come up with this.

  "acls": [
    // all users can access each other and pi
      "action": "accept",
      "users": [device1","device2"],
      "ports": ["device1:*","device2:*","pi:*"],
    // synology and pi can acess each other
      "action": "accept",
      "users": ["pi","synology"],
      "ports": ["pi:*","synology:*"],
  // Readable shorthands for devices and networks.
  "hosts": {
	"device1": "x",
	"device2": "x",
	"pi": "x", // placeholder
	"synology": "x",

The current issue is that in the Rule Preview, it only hows the first rule (“All users can acess each other and pi”)
How can I get the second rule to be acknowleged?