I have set up ROS with VLANs and restricted it so, that there are no interVLAN routing and so, that the management VLAN is not reachable from the VLANs (management only possible by wired connection to a physical ether-port designated for management.)
If I follow the instructions for installing Back to Home (adroid app), then the app finds my user VLAN 80 on my WiFi as it is supposed to do, because the phone is on VLAN80.
The app then asks for the routers admin user and password, but this will lead to nothing, because nothing on VLAN80 can do management on the router.
Any ideas on how to proceed ?
Basically I just want two things: the BTH client must to be able to reach VLAN80 and the BTH client must be able to go to the internet.
I have not seen any guides for BTH in a VLAN setup, but please direct me in the right direction if one exists.
One idea was to temporarily grant VLAN 80 managements rights in order to let the BTH setup run and then remove management rights again.
Honestly I have not been playing much around with this yet, as the router is running production in our flat and wife and kids do expect a high degree of availability (daddy please do not mess around with the internet)
So I would like to have as many good advises from the forum as possible, before claiming a maintenance window from the family users
IP routing and VPN are not related to VLAN configuration.
When you want specific access to a VLAN, it is your own task to make that working by having the proper firewall rules, both for filter and NAT (dst-nat).
It is not a usual configuration to have the phone connected to your local network and then run the BTH client to reach the router. You would normally use it when you are somewhere else, e.g. via the 4G/5G network.
Concur, too much missing information.
A network diagram would help. BTH is not for local access ( aka wired or wifi to the router ). It is for remote access ( like at a coffee shop/hotel/ out and about xmas shopping etc.) when you need to reach back to the router to see something on the LAN or because for some reason you dont trust or have access to cellular or you are using someone elses wifi!
Please clarify your use of BTH.
Also to comment on your BTH setup would need to see config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists
And snapshots of your IP CLOUD of BTH Users and BTH Files.
Finally please confirm you have public IP from your ISP.
At a high-level, you need to block (drop or ICMP reject) the BTH default LAN 192.168.216.0/24 from the VLANs you don't want access. BTH does not allow you change the allowed addresses (which be the alternative for normal WireGuard), so it's firewall only. You should be able mimic the exist inter-VLAN firewall rules, but using the IP subnet instead of an interface.
Now if you want more help than quick suggestion, include your config/etc (shown above) otherwise our resident WG/BTH expert @anav (and others) will not look at it. . And also why:
please confirm you have public IP from your ISP.
is important since you can use allowed address if it's normal WireGuard, and you don't strictly need BTH if you have a public IP already
. And also why: