I have played with the setup of my router, trying to achieve the following diagram:
I duplicated what was working for lan network through tun0:
I created a second interface lan-guest using a new bridge (br-lan-guest) attached to a new vlan (vlan 3) which tags only cpu eth1. I also added new firewall zones for lan-guest and vpn tun1.
Using pbr it seems to work fine.
on lan-guest, only radio1 is attached as an AP for clients to connect.
I was wondering in the lan-guest interface setting, what difference does it make when using either the bridge (br-lan-guest) or selecting the wireless interface instead:
Delete the first rule, remove port 68 from the second rule. Change input from lan_guest to reject (in the drop-downs shown in the second screenshot from Luci).
Thanks for the reply.
I confirm the firewall blocks lan_guest to lan without specific rules.
Regarding Block-Guest-Luci, I tried what you suggested by removing the rule and changing the zone setting to reject input but it would stop all internet browsing from lan_guest.
Instead I have reverted on the lan_guest zone to ACCEPT input and specified in the firewall rule to drop input from lan_guest to the IP of LuCi like it was setup in my original post, but I have specified destination ports to 22, 80 and 443.
Internet works fine on lan_guest and LuCi is not accessible via a web browser, is that enough to block access to LuCi or should I add something else?
No, this should not happen. The Input rule refers to traffic that is destined for the router itself. It does not impact traffic that is destined for other zones (such as the wan). If you experienced a problem here, it is most likely related to DNS -- you can add a rule to accept port 53 from the guest network. Or you can advertise an alternate DNS server (such as a public DNS like Google or Cloudflare), using DHCP option 6.
