Protecting device from VLAN?

I've defined a protected DMZ VLAN for IoT devices and the like, zoned to prevent communication with the primary LAN and is working well.

However, it's not working so well for the router itself - anything in the DMZ can hit anything on the router, including LuCI, which isn't good.

Rather than taking a sledgehammer approach by hand-blocking all traffic between the IP networks, then manually allowing DHCP and DNS, is there a cleaner solution?

The default rule for input on the IoT zone should be REJECT. Then have rules to allow dhcp and DNS.

2 Likes

You should use the firewall config similar to guest Wi-Fi:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#firewall

1 Like

Thank you both!

1 Like