Routing traffic between VLAN's (when they are NAT'ed)

[tescophil]

Hi,

Simple question, how do I route specific traffic between VLAN's when they are NAT'ed ?

I have 1 incoming WAN connection (not NAT'ed) and 4 VLANS (which are NAT'ed).

This means that each VLAN is isolated from all the others, they cannot see each other, and no traffic can pass between them.

OK, so now I'm playing around with a new WiFi Controller (TP-Link OC200) that controls 4 WiFi AP's around my house, and I want to use them to implement a guest WiFi portal with a voucher code system. This is very simple to setup. However..., the controller sits on my untagged VLAN and the Guest network is on a different VLAN. When attempting to sign into the network, the WiFi AP redirects the user to the portal login page on the OC200 which is on a different VLAN.., which it cannot see.

So, my questions is how do I redirect the request from my guest VLAN to the OC200 device on my untagged VLAN ?

(or is there a better way to do this all together...?)

Thanks.

[tescophil]

So, I'm going to answer the 'is there a better way to do this all together...?' part of my question.

Changed my NAT setup so now the WAN interface is NAT'ed and the local internal interfaces are not.

Setup a firewall rule to block any traffic with a source and destination interface of 'Any non-WAN', this maintains my network separation as before.(or does it ?, TCP and UDP I think...?)

Added another firewall rule (above the 1st) to allow traffic from my guest network to the OC200 WiFi controller on the main network.

Hey presto, everything works.

So, is this an 'Acceptable' solution, or is there a better way to do it ?

[jcoffin]

So, is this an 'Acceptable' solution, or is there a better way to do it ?

This is the easiest solution. There are several ways to do this.

[soldier]

I use Filter Rules for that because as far as I understood Firewall rule only manages TCP and UDP traffic which could be enough in some cases (or most of them).

[sky-knight]

I'm not a huge fan of using NAT as a firewall... that's not its intended purpose and it tends to create difficult to troubleshoot issues down the road.

I use Filter Rules to control protocols that aren't TCP and UDP, then use the firewall app to control TCP and UDP. That way I have the controls I need, but I also have logs.