This router (LAN-range 192.168.2.0/24) is behind an ISP's router (Experiabox v10, LAN-range 192.168.1.0/24). The guest-WLAN has a LAN-range of 192.168.42.0/24. Wireless client-isolation is active for the guest-interface and this works as expected.
The guests cannot see each other (as intended per client-isolation), cannot see the devices in the normal LAN, but can see/reach/attack the devices in the ISP router's range.
Can this somehow be prevented? Can the upstream router (and the devices in its LAN) be shielded from the guests?
Ummmm, your device is downstream, but you want to block access to to its upstream network???
Yes, you firewall to all IPs in the subnet...above that rule, you allow the OpenWrt's WAN to reach the gateway (if you need things like DNS lookup from it).
Thank you very much for this very quick response.
Case solved - as soon as I construct the correct rule(s) for doing so.
Edit: done. This is the firewall rule that does exactly what I think I need.
config rule
option name 'Drop-Guest-to-Upstream'
option family 'ipv4'
option src 'guest'
option proto 'tcp udp'
option dest 'wan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'