Two networks, one server

So I've been trying several of the guides here and can't seem to get my system to do the one last thing I want. If anyone can point out where I'm screwing things up, I'd appreciate it.

Right now, I have a single AP router setup with two separated wifi networks. To be clear, I have the following firewall zones:

wan - IP assigned via DHCP from provider, standard NAT setup.
lan - is on radio0 with an AP name of "home", fowards to wan and iot
iot - is also on radio0 with an AP name of "iot", fowards to wan
eth0 - bridged with lan, all physical ports are on lan (for now)

Lan is setup with 192.168.0.X, iot is setup with 192.168.8.X, all devices get IPs and are able to get out to the internet. I even have a couple of ports forwarded in, which works just fine. Now comes the hard part.

I have one machine that I want to be accessible from both networks. I don't really care how that happens, I just want a few ports from this device (which is using a physical port) to be able to be seen by both networks. It's the same machine that has ports forwarded to it from outside as well, and it's currently living in the lan network as

I've tried:

  • Making a firewall traffic rule (ports and 'any').
  • Making a firewall port forwarding rule (same)
  • Setting the zones to forward (separately and both to each other).
  • Making a DNAT forwarding rule to "mirror" the device at
  • Bridging the networks together.
  • Routing through the router via port forwarding targeting

None of it has gotten me a single ping or connection across the networks, which baffles me.

I've seen (just as I'm getting ready to head to bed) some talk about using vlan switches to setup a DMZ, but the wording on that looks really confusing right now. It's been ages since I used iptables and such to manually configure firewalls... I'm not a stranger to it, just very rusty.

My main goal is to have these two networks effectively "separated", both have internet access, and have one device in the 'lan' group be reachable by 'iot' on at least a couple of ports. I've gotten everything but that last bit, and it's killing me that I can't figure out how to do it.


You just need to add a firewall rules on the router, that allows traffic from one network to the specific device on the other. If that fails, I would try to debug the issue.

Remember to open the firewall on the server, as it will receive connections from an "external" network. Then use "tcpdump" to see if the packets are entering and leaving the proper interfaces.

1 Like

I get that. I tried all of that above. I guess my problem is it appears there are several ways to do this, and I tried five different ways, including several documented here on the forum and on the wiki, and none worked. I did poke around with wireshark though, and found that some of the rules were working, but not all of them. (One-way traffic, which for TCP isn't very useful.)

I did finally stumbled on the reason. Apparently my hardware (TP-Link 300) doesn't like having the virtual switch enabled, and/or having the physical lan ports separated. It not only doesn't honor the separation, but causes any rules that reference lan.1 to simply not work. Once I disabled local switch, the firewall rules all reverted to "lan", and started working. This of course means that all my isolated lan items must be wifi, but for now that works for me.

I'm probably going to (long term) grab a better router/switch to replace this one with one that lets me split the lan up for wired DMZ devices. But for now, it's working. Thanks for the reply!