[luci-firewall] guest zone forwarding not denied as expected

Hi, I am moving from custom iptables rules created by myself to luci rules created on the luci web interface, but I am facing some problems or I am not understanding very well how luci works. I have created a new zone named guest-zone. This zone is connected to a interface named guest which is attached to a VLAN WITH ID 101. This is a basic diagram:

Guest people connect to an access point, that tags their connection to VLAN 101 and "forwards" to the real router running dnsmasq. The guest people receives an IP address on range ( guest interface )

In my luci firewall , I have explicitly set REJECT for forwarding as follows:

Despite that, guest users still can use internet. Why is not being rejected ?


You allow guest_zone -> wan forwarding.
The per-zone forward is for traffic among interfaces of the same zone.
The general settings forward is for interfaces not belonging to any zone.


Thanks! It worked.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.