Single IP proxmox server tailscale guests issues

Tailscale version: 1.34.0
Your operating system & version: Debian 11
Proxmox version: 7.3

I am managing a cloud server with a single public IP address for the host and the guests.
Guest access to the internet is enable through nat configuration on the host.
To avoid having to block several ports on the host I applied the rules suggested in the following article: Use UFW to lock down an Ubuntu server · Tailscale. It works perfectly well for the host but not for the guests running their own tailscale client.
How should I configure the network in order to secure the server exposed to the internet without hampering the access to the guests?

Here is the network configuration on the host (proxmox) server:

### LOOPBACK ###
auto lo
iface lo inet loopback
iface lo inet6 loopback

### IPv4 ###
# Main IPv4 from Host
auto enp0s31f6
iface enp0s31f6 inet manual

### VM-Bridge used by Proxmox
auto vmbr0
iface vmbr0 inet static
  address a.b.c.d
  gateway v.w.x.y
  hwaddress aa:bb:cc:dd:ee
  bridge_ports enp0s31f6
  bridge_stp off
  bridge_fd 0

### Private NAT used by Proxmox
auto vmbr1
iface vmbr1 inet static
  address  192.168.20.1
  netmask  255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0

  post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up   iptables -t nat -A POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE

  post-up   iptables -t nat -A PREROUTING  -i  vmbr0 -p tcp --dport 3333 -j DNAT --to 192.168.20.200:3333
  post-down iptables -t nat -D PREROUTING  -i  vmbr0 -p tcp --dport 3333 -j DNAT --to 192.168.20.200:3333

source /etc/network/interfaces.d/*

Thank you for your help and support.

Denis