Help filtering routes access

Hi! I’ve been a Tailscale user for quite a few months now. It’s been working flawlessly so far, however. I’m in need of a spin of for what I was using Tailscale for.

I’m using the personal plan, 1 user – multiple devices
So, I have a Raspberry pi advertising some intranet routes (172.168.0.0/16) to every device connected within the account, i want to specify which device gets the intranet routes and which doesn’t.

For example, I’ve 5 devices connected:
My_Phone - (172.168.0.0/16)
User1_Tablet - Regular use
User2_Phone (172.168.0.0/16)
User3_Phone - Regular use
User4_PC - Regular use

I want My_Phone and User2_Phone to have access to the advertised routes only (172.168.0.0/16).

I’ve tried using ACL but once I allow the routes CIDR it just allows accessing it from any device connected into the Tailscale account…

Appreciate any advice, thanks

The default ACL has a rule that allows everything to access everything else, so the first thing you need to do is replace that with a set of rules that grants whatever access you want between your other existing devices. After that you’ll need to add the following items to the “Hosts” and “ACLs” section:

{
  "Hosts": {
    "My_Phone": "<IP>",
    "User2_Phone": "<IP>",
  },
  "ACLs": [
    { "Action": "accept", "Users": [  "My_Phone" , "User2_Phone" ], "Ports": [ "172.168.0.0//16:*" ] },
  ],
}

Note: This gets easier if the clients that you are using have the Tagging feature enabled, which is currently only the Linux client. Then you can tag the clients you want to have access with a particular tag and replace the list of hosts in the ACL with just the tag.