This doesn’t exactly match your goals, but you may be able to adapt it or take pieces from it.
I have containers running on two subnets:
- LAN + Tailscale
- LAN only
Subnet 1 has a DNS server, which resolves all of my services to IPs on either subnet.
I have Tailscale set up on a machine as a subnet router (directing to Subnet 1).
Result:
- When local, I can access all services on the LAN with local DNS entries, both Subnet 1 and 2.
- When remote via Tailscale, I can access all services on Subnet 1 with the same local DNS entries. I cannot access services on Subnet 2.
This is nice because my apps don’t care which network I’m on, they just use the same URL to connect. And the sensitive stuff (usually management tools) are not accessible remotely.
It’s also ridiculously simple: Only one Tailscale service is running at home.
This does not solve your issue of broadcasting vs not broadcasting, though. There’s probably other things missing as well. But maybe it’s a start?
I wonder if they are preparing to stop using it. That could be a benign reason for the change in wording.