How to isolate my OpenWrt LAN from my actual LAN?

I have a series of devices on my home network that I don't control/trust: IOT stuff and a managed corporate laptop for example. I'd like to place these on a separate network that can only go through my home router to reach the internet without getting to the other devices on my LAN. A crude diagram may be more helpful:

As things currently stand, the Corporate Laptop can ssh into Local NAS, but I'd rather that the NAS was entirely invisible/unreachable to everything behind the OpenWrt router. Is that even possible? If not, is there a better way to do this barring replacing the ISP router with OpenWrt?

1 Like

Block all access to the .1. subnet, from the .6. subnet, except for the IP, in the openwrt firewall.

1 Like

Oooh, that sounds promising. How do I do that?

Actually, you can block the entire subnet... just make a firewall rule that drops all traffic from the lan zone to and you're done.


Wouldn't this block all outgoing traffic from the corporate LAN to the internet as that would have to go through

no. It blocks the OpenWrt lan zone from having direct access to the upstream router, but it does not block the internet traffic. The reason is because the OpenWrt router itself is responsible for connecting to the upstream gateway (

Think of it like this: > ( on the wan) >

1 Like

Ah! That's excellent, thank you! It totally works!

you're welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.