Since the default FORWARD policy is to DROP, only send packets to the
INSIDE chain if:

A) they come in on the vlan interface and
B) they have src IPs in the control net (or brodcast IP)

Packets that match the first but not the second will fall through and
be dropped.