Route between VLANs?

My OpenWRT router has a VLAN with VID 10, the interface is unmanaged and connected via Wifi to a PfSense installation that has the same VLAN. Now I have a new requirement: I want to connect a NAS to my OpenWRT router via the physical ports. Traffic shall flow directly from VLAN with VID 10 to the NAS - not via PfSense -, however I want to be able to filter the traffic going there (block access to some management ports / tools on the NAS). Is that possible and if yes, how?

VID 10 ---> pfSense


VID 10 ---> pfSense
       \ NAS-Server, but only specific ports shall be allowed

Not really the way you describe it.

You could put the NAS on a different VLAN, and the OpenWrt router could handle the routing for that new network. The pfsense system will need a static route installed to enable this (or you'll have to set the static route on each of your hosts individually).

thanks, a new VLAN wouldn't be an issue for me. Would I also be able to place a firewall on OpenWRT between the two VLANs to allow only access to specific ports of the NAS?

Yes. But, is there a reason you don't want to do this on the pfsense box? Generally speaking, it would be more efficient to setup the VLAN and firewall rules on the pfsense system instead of having routing happening in different places (that said, it's a cool thing to leanr how to do).

Well, the pfSense is only connected to my OpenWRT router via Wifi, while the NAS is connected to the OpenWRT router via LAN. For performance reasons I don't want the NAS traffic to go over the Wifi. Maybe that will be my temporary setup until I learn how to do it via OpenWRT directly :wink:

I'm trying to figure out your topology... can you draw a more complete diagram of your network and then also post your configs... I'm trying to understand your network with sufficient detail to be able to recommend the best solution.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for your interest! I don't have the NAS yet and just wanted to know if it is possible. Will get back to you once my NAS is ready :slight_smile: