Keeping these kind of management devices off the Internet seems prudent. But how do you do that and still get Tailscale to work? Assign the device to a separate vlan that is restricted to only talk to Tailscale? Otherwise, if the device is on your regular network, it will still be connected to the internet.
Use Tailscale subnet routing.
Untrusted devices can sit on a separate VLAN or get WAN blocked, you can still reach them internally, and from any other device on Tailscale. You just need to expose the subnet via Tailscale subnet routing.
Yes that is how you arrange how the device can be reached through Tailscale.
What I was wondering was: In order to get the device to talk to Tailscale to be able to reach it you need to give it access to the internet to reach Tailscale. But now I understand your answer and it is to let the device sit somewhere in an enclosed network and then through another trusted Tailscale node route any traffic to it using subnet routing. Thanks!