No access to local lan when using remote user access on balance 20x

Hello! I have an issue with my configuration and can’t understand what is missing. Maybe someone had similar issue.

This is the current setup (only show relevant things).:
My balance 20x connected via modem to internet. It has public IP. I use dynamic dns as well to have domain always pointing to router.
Internally I have main VLAN and my devices connected to it via ethernet or wifi. VLAN has DHCP and Inter-VLAN routing is enabled.
I have some firewall rules. Most important are:

  1. All inbound are Deny
  2. All internal are Deny
  3. All outbound Allow except iot VLAN
  4. There are some special rules to Allow touching devices on other VLANS from main (iot devices).

This setup is working perfectly.
Now I’m trying to setup Remove user access. I’m using LT2P (had similar issues with OpenVPN).
I setup all information and set “Connect to Network” to my main VLAN.

I used Iphone a remote device (also tried macbook connected to mobile network). I enabled “Send all traffic” on device.
What is working:

  1. I’m able to connect to VPN. New device with main VLAN IP shown in clients list
  2. Remote device traffic goes through router (I see IP on websites is router IP)
  3. Remote device is able to open router admin panel on VLAN IP (

What’s not working:

  1. Remote device has no access to devices in the same VLAN. No connections, no pings.
  2. VLAN devices behind router can’t connect to remote device.

Since VPN itself is working and the issue is only connection between devices I assume some routing doesn’t work where it should. Since devices are in the same VLAN it should be L2 routing and should work.

Any ideas what did I forget?

After some trial/error changes I found what is working.

Some posts like this one

Mentioned that adding inbound rule help. I didn’t work form me.

Instead the problem was that in Internal Network Firewall Rules I have Deny All by default. I thought that L2 routing will do the job since devices on VPN are in the same VLAN. But it didn’t.

After I added allow rule to internal rules where source and destination fields are the same VLAN network things started to work.