It works without host access. It's just that to auto-detect devices on the subnet requires low level access across several protocols. Perhaps this could be done without host access but it seems to be a difficult problem.

No, it doesn't work without. Auto-detection is one thing, even that can be NAT'ed, definitely not difficult - bridging broadcasts between subnets is an OLD thing. But I digress, I'm actually speaking of all the integrations that foolishly assume the bind IP and the advertised IP are the same. So it's either an invalid bind address or an inaccessible internal one.

Mine is running with normal isolated networking. Z-wave and zigbee are both working fine. No integrations that don't. I think I originally had to assign the hue bridge to have a static ip though..

Neither Z-wave or ZigBee are the type of thing that would have to be directly visible on your local network to work properly. Try Homekit or something that has actually uses IP networking.

Kasa uses direct tcp/udp in my setup and works fine. Same for DLNA servers. No issues.

Which integration are you referring to? I've had it working fine.