I have two VLANs: My production VLAN (VLAN0, 192.168.1.x) and my public-wifi VLAN (VLAN2, 172.16.1.x). This is done for PCI compliance, so I have “inter-vlan routing” disabled. This way, all guests on VLAN2 have no access to any of our production servers. (I feel this is a common configuration) On my production VLAN is my webstore (192.168.1.210), which has an Inbound Access Server/Service rule set up to forward incoming http/https traffic (store.mydomain.com:80) to the server (192.168.1.210:80).
When connected to VLAN0 (say 192.168.1.55), you can connect to the webstore (store.mydomain.com) just fine. The balance detects that the outgoing destination resolves to a WAN IP, so it handles that according to the inbound traffic rules, and redirects it to my webstore server (192.168.1.210, also on VLAN0).
However, when connected to VLAN2, a connection to store.mydomain.com does not succeed. I assume this is because it detects that store.mydomain.com resolves to the WAN IP, applies the inbound traffic rules to it, but then ultimately rejects it because a request from 172.16.1.x to 192.168.1.210 is not allowed, according to a strict definition of “inter-vlan routing” disabled.
So my feature request: I would like an exception to be made to the “inter-vlan routing” rule. When inter-vlan routing is disabled, I would like data from one VLAN to another be allowed when it is forwarded from an Inbound Access Server/Service rule. This way, guests on my public-wifi, VLAN2, can connect to my publicly available webstore on VLAN0.
This is also Ticket #747272.