I do not want forwarding between various portions of the LAN zone. Specifically I do not want WiFi clients to be able to connect to a device on Ethernet LAN.
My firewall is configured as follows, with Forward set to Reject. I think this means that Wifi clients can not talk with Ethernet LAN, and vice versa.
With that setting in place, I can still connect to a LAN based web server
Am I misunderstanding what Reject means?
The router is an TP Line 3600 running 18.06.2
Unless you have customised your installation, the default "lan" zone points to the bridge between your wired ethernet and your wifi network. The firewall won't handle this case since they're on the same segment.
You could try splitting the network in a "wired-lan" and "wireless-lan" network and then create two matching firewall zones.
In that case, I really do not understand what the Forward column means. I thought it was about forwarding between the various wifi/ether interfaces contained within this LAN zone.
That means:
That's it's only function; and not common in a SOHO/consumer configuration.
It is, but only if these interfaces happen to not be bridged.
Forwarding works between firewall zones, not within any zone.
In a default setup you have a "wan" and a "lan" zone: such a rule says any network in the "lan" zone (typically the wired switch ports and the wireless clients) is not allowed to talk to any network in the "wan" zone. Anything goes within the "lan" zone and the (normally) bridged networks that make it up.
I suppose part of the confusion is the label of the zone, give it another name if that helps you distinguish the two concepts.
