Forward port from 'guest' network to lan network

Internet setup1

Currently I have a network configuration as seen on the image. Basically I have separated my lan into 2 - lan which contains my ethernet interfaces + one of my virtual hotspots. Hosts in that zone can actually communicate with other devices on the lan. At the same time I also have a Guest zone which contains only a single wifi interface - that's my "guest only" hotspot. Hosts in it are getting a separate range of ip addresses and they only have access to internet and can't access other lan hosts (except other guests). This is working all fine and dandy.

However, I now have a slightly different use case - I would like to be able to forward 1 port from a specific guest ip to the lan network. Such that other lan hosts can access that particular service on this guest host, but not allow the guest host to initiate any connections to the lan. So I thought I have to just create a port forwarding, where the external zone would be "lan" and the internal one "guest" and internal host is the guest host. However, for external zones I only have 'GUEST', 'INTERNET', 'vpn' and 'wan'.

Any ideas how to achieve this would be much appreciated!

If you want your LAN to be able to access one IP address in the guest network then I think it may be enough with a traffic rule.

A port forward is mostly needed when there is a NAT/masquerading between the networks.

BTW why do you allow the internet and WAN zones to access your LAN as seen in the zone configuration?

So a traffic rule would be something like SNAT/DNAT or ? As for your other question - I thought this was needed in order ot have proper internet. So the only thing I use the 'wan' interface is to allow for the 'nbis' interface in the INTERNET zone connect to the PPPOE concentrator. I guess I could experiment with tightening things down.

Port forwards are DNAT/SNAT. But traffic rules don't translate the traffic using DNAT/SNAT. You use traffic rules as a complement (or alternative) to the zone and zone forwarding configurations when you want more fine grained rules.

Regarding WAN, the default is to not allow forwarding from WAN to any zone. When you allow LAN to WAN forwarding then the responses from WAN will also be allowed since the firewall is stateful.