Help to allowing GuestLAN to Access HomeLAN Services via Domain (Public IP or WAN)

ChanningHe · July 6, 2024, 5:28am

Hello,
I have two subnet

GuestLAN 10.200.0.0/24 (using VXLAN to connect to the Proxmox in HomeLAN for creating guest VMs)
HomeLAN 192.168.2.0/24

NAT rules for service on HomeLAN
chain=dstnat action=dst-nat to-addresses=192.168.2.5 to-ports=7443 protocol=tcp dst-address-type=local dst-address-list=WANaddr dst-port=443

I don’t want to allow connections from GuestLAN to HomeLAN directly, but I want GuestLAN to be able to access some services on HomeLAN through a domain (public IP or WAN). How can I achieve this?

ChanningHe · July 6, 2024, 5:57am

If use the rule
chain=forward action=drop src-address=10.200.0.0/24 dst-address=192.168.2.0/24
than GuestLAN devices can’t access any service on HomeLAN via domain

TheCat12 · July 6, 2024, 4:41pm

The exact rule you mentioned is to be used but with a minor tweak - an added connection-nat-state=!dstnat This way only resources with a dstnat rule would be accessible from the guest LAN