Hello, Not sure if this has been resolved and/or even know the whole story as didn't read rest of replies, so please excuse me but from up above, i would put back the firewall rule to block vlan20 to main lan. I dont know what you are using for firewall or your setup but by default, firewall rules should process from top to bottom. That being said, above the rule you just set, i would make another rule to allow, from vlan20 for the application, ip address, port on the main lan. This will allow that app to communicate from vlan 20 to main lan and nothing else. Hope this works. If your rules are blocking the opposite way, you will need to create another rule from the other side from host network to vlan20. Hope this helps and as I said, not sure of whole story.