That's really make sense.
I never thought about that.
and…the CIDR rules is the way to go, I just realize that my range of per-vlan subnet are all start 192.168.x.x and of course I need only one rule to solve it.
I think that I was to inside of the problem without looking all the possibilities.
Thanks a lot.