Lan VLAN access to Raspberry Pi Server on a separate VLAN

This is my first time writing on this forum.
Like a lot of you I wanted to separate my networks using VLANs so I ended up with 3 VLANs:

Default VLAN1 (LAN + WLAN) - trusted (client isolation disabled)
Guest VLAN3 (WLAN) - untrusted (client isolation enabled)
IoT VLAN6 (LAN + WLAN) - untrusted (client isolation disabled)

My idea is that the untrusted VLANs can not access the trusted 'lan' network but the 'lan' can access a HomeAssistant IoT device managment server on the 'iot' VLAN.

With this setup it appears to me that the separation is working as I can not ping devices connected to the 'lan' VLAN from devices connected to the 'guest' or 'iot' VLANs. Nor can 'guest' VLAN connected devices ping 'iot' VLAN connected devices, nor can 'lan' VLAN connected devices ping 'guest' devices.

However 'lan' devices can ping 'iot' devices because of the lan -> iot forwarding zone rule.
Thus I am able to load the HomeAssistant home page from a 'lan' device by ip and port ( e.g.)
From within the 'iot' network I can access the server by the address name issued from DuckDNS ( e.g.)
I can not access the server from within the 'lan' VLAN with the address!

Here are two topics I thought are the same as mine:

In them @lleachii provided the solution to add a port forward rule to /etc/config/network:

config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option src_ip ''
option dest 'lan'
option dest_ip ''
option name 'REDIRECT_HTTP_LAN'

Sad to say this did not work for me so I decided to look for help here.

I am happy to provide further info.

P.S. I am using screenshots as I find them more intuitive for a novice like me and I think it would help others get around easier.

Don't complicate things. Create a hostname under Network/Hostnames in Luci and assign there the duckdns name and the IP of the iot server.

1 Like

Thanks for the quick reply.
This works:

However now I have to specify the port after the address, like:

And this makes an entirely different url and if I want to make a shortcut on my smartphone with it I have to have 2 shortcuts, one for the local network and one for WAN access.

Then fix the forward you have for Assistant SSL to use sdport 8123 instead of 443.

Ok. So that way I am able to access the server using the same url from everywhere (Lan VLAN, WAN and IoT VLAN).

The rule becomes:

I am greatful for your answer @trendy, just out of curiosity, what should I do if I don't want to use a port int the url, like that? Also is this a more secure approach compared to the port forwarding rule that @lleachii suggests?

I can see that by using this method, when testing my ports with, port 443 is closed.

Then you'll need 2 fowards from 443 to 8123, one from wan to iot and another from lan to iot.

They are the same. There is no security through obscurity.

Awsome, thanks for the help and insight! I will mark your first reply as the answer!
I have another question related to this setup but I don't know if I should continue this thread with it?
Also I checked your profile and saw your github repo is NimaAra.. Is this you ?

Nope, I actually don't have github. :smiley:

Ahaha ok. Sorry.
Can I ask you another thing I am thinking about or should I open another topic?
If a smart TV on the IoT VLAN has to access a NAS on the trusted VLAN, can it be done with just a rule?

Yes, a firewall rule is enough.

Is it enough without a zone forwarding like IoT -> Lan?

Zone forwarding will allow all iot zone to access lan.
You want only one IP, so a rule will do.

1 Like

Please don't hijack others' threads. You can mention some user with the @ before their username. Moreover the answers you got from eduperez and mk24 should cover you and I don't have more to add.

sorry i will delete it, i don't see the solution to use my secondary lan☹️

@trendy, thanks for all the help! I would like to ask you some more things but I would prefer to do it somewhere else not to cluter this topic. I don't see how I can direct message you in this forum. Could you provide some contact info (it's fine if you don't want to though).

Then it is better to start a new topic.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.