I've defined a protected DMZ VLAN for IoT devices and the like, zoned to prevent communication with the primary LAN and is working well.
However, it's not working so well for the router itself - anything in the DMZ can hit anything on the router, including LuCI, which isn't good.
Rather than taking a sledgehammer approach by hand-blocking all traffic between the IP networks, then manually allowing DHCP and DNS, is there a cleaner solution?