This bugs me a bit so just seeking out to see what you folks do here, at lest you who work in security or have a security oriented homelab.
I do not generally allow any traffic between VLANs, all is isolated in the Switch, where different VLANs are in different routing instances (VRFs) and next-hop is my firewall. All traffic is L3.
Now when I’m testing new things and I need to login to a random web interface, at a random port I normally create an application on my firewall for that port, and add that port to a “baseline” I have for traffic from my office network to my different server networks. This works as indented and means I will never have any traffic I’m not aware of.
However this is also time consuming. So I’m thinking to allow all high ports (>1024) - for only one direction (office networks->server networks) but not sure this is a good idea either.
I’m also thinking to force (web admin X) to use 443. I could also use a web proxy that would allow high ports and use that while testing, but yea. all have their pro’s and cons…