I have multiple networks that are structured in the same manner and currently I use separate tailscale accounts to manage them. I would like to use the same accounts and use ACL to separate them now.
Each network has a router device that enables access to a subnet (10.0.1.0/24). Users in this network can access the subnet.
With my current knowledge I have no problems creating ACL where I use groups and tags to separate these networks like so
{
"groups": {
"group:network-a": [
"network-a-router",
"network-a-u2",
"network-a-u3"
],
"group:network-b": [
"network-b-router",
"network-b-u2",
"network-b-u3"
]
},
"tagOwners": {
"tag:network-a": ["group:network-a"],
"tag:network-b": ["group:network-b"]
},
"acls": [
{
"action": "accept",
"src": ["tag:network-a"],
"dst": ["tag:network-a:*"]
},
{
"action": "accept",
"src": ["tag:network-b"],
"dst": ["tag:network-b:*"]
},
{
"action": "accept",
"src": ["group:network-a"],
"dst": [
"tag:network-a:*", "10.0.1.0/24:*"
]
},
],
}
The problem is that network B advertises the same subnet as well and I want it to be available to network b devices only. Is this possible?