My idea is that the untrusted VLANs can not access the trusted 'lan' network but the 'lan' can access a HomeAssistant IoT device managment server on the 'iot' VLAN.
So..
With this setup it appears to me that the separation is working as I can not ping devices connected to the 'lan' VLAN from devices connected to the 'guest' or 'iot' VLANs. Nor can 'guest' VLAN connected devices ping 'iot' VLAN connected devices, nor can 'lan' VLAN connected devices ping 'guest' devices.
However 'lan' devices can ping 'iot' devices because of the lan -> iot forwarding zone rule.
Thus I am able to load the HomeAssistant home page from a 'lan' device by ip and port (192.168.6.100:8123 e.g.)
From within the 'iot' network I can access the server by the address name issued from DuckDNS (https://myhomeiot.duckdns.org e.g.) I can not access the server from within the 'lan' VLAN with the address https://myhomeiot.duckdns.org!
Here are two topics I thought are the same as mine:
In them @lleachii provided the solution to add a port forward rule to /etc/config/network:
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option src_ip '192.168.1.0/24'
option dest 'lan'
option dest_ip '192.168.y.xxx'
option name 'REDIRECT_HTTP_LAN'
Sad to say this did not work for me so I decided to look for help here.
I am happy to provide further info.
P.S. I am using screenshots as I find them more intuitive for a novice like me and I think it would help others get around easier.
However now I have to specify the port after the address, like: https://myhomeiot.duckdns.org:8123
And this makes an entirely different url and if I want to make a shortcut on my smartphone with it I have to have 2 shortcuts, one for the local network and one for WAN access.
I am greatful for your answer @trendy, just out of curiosity, what should I do if I don't want to use a port int the url, like that? Also is this a more secure approach compared to the port forwarding rule that @lleachii suggests?
I can see that by using this method, when testing my ports with https://www.grc.com/, port 443 is closed.
Awsome, thanks for the help and insight! I will mark your first reply as the answer!
I have another question related to this setup but I don't know if I should continue this thread with it?
Also I checked your profile and saw your github repo is NimaAra.. Is this you https://www.nimaara.com/ ?
Ahaha ok. Sorry.
Can I ask you another thing I am thinking about or should I open another topic?
If a smart TV on the IoT VLAN has to access a NAS on the trusted VLAN, can it be done with just a rule?
Please don't hijack others' threads. You can mention some user with the @ before their username. Moreover the answers you got from eduperez and mk24 should cover you and I don't have more to add.
@trendy, thanks for all the help! I would like to ask you some more things but I would prefer to do it somewhere else not to cluter this topic. I don't see how I can direct message you in this forum. Could you provide some contact info (it's fine if you don't want to though).
