This menu allows you to define LAN-to-LAN traffic where it otherwise would be blocked.

For example, let's say we have two LANs, a primary one (LAN0/br0) and a secondary one (LAN1/br1). If you want devices on LAN0 to communicate with devices on LAN1 (and vice versa), you could use these settings:

On: enables the rule defined on this row of the table.

Src: displays/lets you configure the (Logical) Source LAN for the rule on that row of the table.

Src Address: lets you narrow the rule to a specific IP address/set of addresses within the Src interface.

Dst: here, specify the logical Destination LAN for the rule on this row of the table.

Dst Address: (optionally), narrows the rule to a specific IP address/set of addresses within the Dst interface.

Description: a free text field in which you can enter whatever you wish, such as notes, reminders.

• For releases r2025.4 and earlier, regardless of LAN Access rules, a LANx device was able to reach (e.g. ping) all the router's LAN interfaces (only).

• On r2025.5 and later: FreshTomato LAN interfaces can only be reached from within the same subnet. Thus, a device at 192.168.10.10 can only reach the router at its address on the same subnet e.g. 192.168.10.1.

• All entries in this menu are one-way only. If you want hosts on LAN0 to communicate with hosts on LAN1, and vice versa, you'll need two entries in the table for that.

• LAN Access is an IP-level access control. Therefore, all ports/protocols are automatically enabled. If additional fine tuning is needed (for example, to allow only allow port 80/TCP) you'll need to manually configure the settings for that.