[wyager]

> Or is it possible to allow access from my trusted network INTO the restricted network

Yes, my home network works exactly like this. I have a vlan called "trusted" which can connect to any other vlan. One line in pf.conf.

My VLANs are something like: trusted, guest, media, cameras, printer, etc.

Many of these aren't allowed inbound or outbound connections (e.g. cameras and printer can only talk to things on their subnet).

Only downside is that stuff that works off broadcast packets (like bonjour) does not work across subnets.

[kube-system]

There are mDNS repeaters that can in some cases make bonjour work across different networks. In my experience I spend more time fighting with mDNS than I do enjoying it.

[cassianoleal]

I have avahi running on my router repeating mDNS across all VLANs. I can't recall the last time I had an issue with it.