Best way to isolate all interfaces from each other


what is the best way to isolate all interfaces from each other (Lan Wifi).
What I did: Under "Switch" and created separate VLANs for each Interface and assigned those to my interfaces. Each interface has a different subnet: 192.168.1. ..., 192.168.2. ..., 192.168.3. ..., ...

Also also set the firewall input and forward from each zone (besides LAN1 - only interface I want to access the Router via SSH) to "reject" and only alloewd DNS and DHCP via a separate traffic rule.

Is there anything I should also do?

Thank you for your help.


You could merge all the interfaces but lan1 into one zone with INPUT and FORWARD drop/reject.
Other than that you are fine.


Thank you. I will test it later :slight_smile:

1 Like

I was wondering, if you could help me understand how it actually works. I still didn't really get the meanings of the zones and how it works. I tired to understand the documentation, but I still didn't get it :frowning:

So what I have done now:

NOLAN: covers all interfaces except lan
If I understand correct, this means that every traffic which is incoming to all interfaces covered by NOLAN is dropped.
E.g. In NOLAN, there is a network called WIFIGUEST. When a device from lan tries to access a device in WIFIGUEST, this request will be dropped?

In my case, I then need to turn it around and create another firewall zone for lan with input drop.
Or did I understand something completely wrong?

One more question: The router - Is it part of lan zone?

Thank you very much for your help.

In this example you allow forwarding from NOLAN zone to lan. Traffic to the router is dropped (INPUT). Traffic from the router is allowed (OUTPUT). Traffic between the zone interfaces is dropped (FORWARD).
The first one doesn't seem correct to me, but I cannot say for sure if I don't see the whole picture.

1 Like

Okay, that is definitely not what I wanted to do. But I think I now got the concept.

So I am correct that I do not need the last rule I have added? And to sum it up:

  • Input: Traffic from the zone to the Router and not from the zone => zone (nolan => lan)
  • Output: Traffic from the Router to zone
  • Forward: Traffic from the zone to other zones

When I look at the picture below with the all the zones, this means, that I allow all traffic in general from each zone to wan, but mostly reject the traffic from the zone to the router and reject the traffic to the other existing zones:

If yes, then I only have to remove the last entry (nolan => lan). Forwarding is set to reject on all zones.

Or is it only between the interfaces in one zone? If yes, than I need to create a new zone with all interfaces including lan: ALL => Reject (like the second entry) with Input and Forwarding "Drop". But this means, because lan is included, that my devices from lan are no longer able to access the router and they have to.
If I do not include lan, than the other interfaces can still access lan and I need to setup traffic rules in this scenario for SSH and Ports 80 and 443.

I really appreciate your help.

Wrong, it is the intrazone traffic, that is traffic between the interfaces of the same zone.
For interzone traffic there are forwardings.

That also depends on the default policy you have and is not visible, it is at the top of the screen.

The way you describe it, you can combine all the interfaces except lan in one zone, call it nolan, which has forwarding to wan only, input and forward reject, output accept. Allow the DNS and DHCP with rules for this nolan zone.


You mean these settings:

I haven't change anything here.

Okay, so if there is no forwarding to a specific zone, than no traffic is possible between the interfaces. The Forwardings are (when last last one is deleted (nolan => lan)) only set from the zones to wan, which means, that no interzone traffic is possible and e.g. WIFIBUS can not access lan. Correct?

Because I set Input to reject on all Forwardings to wan (except lan), I have already setup Traffic Rules for DNS and DHCP for all interfaces.

I use LAN as a management/trusted zone and added "zone -> forwardings" so the wireless APs can be accessed.

... between the zones.

The Forward in General Settings is reject, so by default interzone traffic is rejected. Only the Forwardings you have allowed are accepted.
Since you have the same settings to all zones except lan you can merge them all in one zone containing all the interfaces.



Alright, now I got it. Here are now my new settings:

In General "Forward" is dropped - so no traffic between zones nolan and lan is possible.

All interfaces except lan are combined in zone nolan. Because Input is set to drop, traffic to the router is dropped and because forward ist set to drop, no traffic between the interfaces of zone nolan is possible. Only the traffic from zone nolan to wan is allowed (nolan => wan).

For the zone nolan I have setup traffic rules to allow DNS and DHCP to the router.

Now my Setup is complete and I understand how the firewall zones work. Also I simplified the settings a lot with the combined nolan zone.
Thanks a lot.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.