====== LAN Access ======

This menu allows you to define LAN-to-LAN traffic where it otherwise would be blocked.

 \\

For example, let's say we have two LANs, a primary one (LAN0/br0) and a secondary one (LAN1/br1). If you want devices on LAN0 to communicate with devices on LAN1 (and vice versa), you could use these settings:

 \\

{{:pasted:20220126-183839.png}}\\   \\

**On:** enables the rule defined on this row of the table.

 \\

**Src:** displays/lets you configure the (Logical) Source LAN for the rule on that row of the table.

 \\

**Src Address:** lets you narrow the rule to a specific IP address/set of addresses within the Src interface.

 \\

**Dst:** here, specify the logical Destination LAN for the rule on this row of the table.

 \\

**Dst Address: **(optionally), narrows the rule to a specific IP address/set of addresses within the Dst interface.

 \\

**Description:** a free text field in which you can enter whatever you wish, such as notes, reminders.

 \\

 \\


===== LAN Access Notes and Troubleshooting =====

  * On releases r2025.4 and earlier, regardless of LAN Access rules, a LANx device was able to reach (e.g. ping) all the router's LAN interfaces (only).

  * On r2025.5 and later: FreshTomato LAN interfaces can only be reached from within the same subnet. Thus, a device at 192.168.10.10 can only reach the router at its address on the same subnet e.g. 192.168.10.1.

  * All entries in this menu are one-way only. If you want hosts on LAN0 to communicate with hosts on LAN1, and vice versa, you'll need two entries in the table for that.

  * LAN Access is an IP-level access control. Therefore, **all ports/protocols are automatically enabled**. If additional fine tuning is needed (for example, to allow only allow port 80/TCP) you'll need to manually configure the settings for that.

 \\

 \\