Yeah, that's what I did. I've been a network and security architect specializing in Cisco and Juniper switching/routing/firewalls for 23 years. If it only talks on 23, then the Lutron app for some reason doesn't work when the Lutron hub is on another subnet. And... The Lutron app on my phone on the same subnet as the Hubitat DID work just fine. So there is likely something wrong with the Hubitat Lutron app, unless the android app was using the cloud connection, which is probably likely.
Anyway, my rule looks like this:
Source: trust zone, any ip, any port
Dest: iot zone, Lutron hub ip, port 23
Hubitat is in the trust zone. And it works fine if I use Nmap or telnet to test from anything on trust from a pure tcp connection standpoint.
The Lutron mobile app does not use Telnet to communicate with the Lutron bridge. I am not sure exactly how it communicates with the bridge, but I am pretty sure Telnet is only used for 3rd party integrations like Hubitat.
Does the Hubitat hub have the correct gateway address for your network? What subnet mask are you using to create multiple LANs? I believe the Hubitat Hub really wants to use 255.255.255.0 as its subnet mask.
Personally, I don't see the value in complicating one's home network with multiple LANs. Yes, I understand the concept of enhanced security...but the frustration that the additional complexity adds is just not worth it, IMHO. I am a fan of the KISS principle. YMMV, of course, and everyone's situation is unique.
Everything is a /24 mask. And gateway is set correctly or it wouldn't be able to get out for software updates.
As for the multiple vlans... The only frustration I have had regarding it is with the Hubitat, and some DLNA stuff years back. Everything else works as expected.