@bigtfromaz you could maybe limit the outbound nat for only the device you would be coming from lan with. Like your pc... But yeah that works..

If you just add the route as persistent it should survive reboots, upgrades, etc. you shouldn't need a batch to kick off on startup.

I would normally allow ping as a way to validate connectivity..

@rennit I guess? With VLANs AFAIK there are two ways to get the VLAN assigned. Either something assigns it (AP, switch) or the device's network config has a VLAN. With the latter, someone with knowledge can change, add, or remove the VLAN tag. If the switch allows the new-VLAN packet on that port then it gets passed on. Normally that's blocked by a managed switch, but generally unmanaged gigabit switches will pass packets without regard for VLAN.

Otherwise something would need to be removing the tag from the packets, in order to cross over to another VLAN.