OpenWrt guests can see hosts in upstream LAN


Using release 19.07.2 on a ZyXEL NBG6716.

This router (LAN-range is behind an ISP's router (Experiabox v10, LAN-range The guest-WLAN has a LAN-range of Wireless client-isolation is active for the guest-interface and this works as expected.

The guests cannot see each other (as intended per client-isolation), cannot see the devices in the normal LAN, but can see/reach/attack the devices in the ISP router's range.

Can this somehow be prevented? Can the upstream router (and the devices in its LAN) be shielded from the guests?

Thanks in advance,

Ummmm, your device is downstream, but you want to block access to to its upstream network???


Yes, you firewall to all IPs in the subnet...above that rule, you allow the OpenWrt's WAN to reach the gateway (if you need things like DNS lookup from it).


This is expected behavior. You can add a firewall rule to drop all packets with a destination of the network.


Thank you very much for this very quick response.
Case solved - as soon as I construct the correct rule(s) for doing so.
Edit: done. This is the firewall rule that does exactly what I think I need.

config rule                               
        option name 'Drop-Guest-to-Upstream'
        option family 'ipv4'         
        option src 'guest'    
        option proto 'tcp udp'
        option dest 'wan'              
        list dest_ip ''
        option target 'REJECT' 

Kind regards,

Might wanna use 'all'


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.