Wireguard: allow wan forward but no lan access

Hi, i use wireguard on my router so my dad can watch channels he does not receive (but i do, thanks to my ISP). I use udpxy so all runs local on the router and kodi is configured to use that (so its not udp but tcp). He uses a raspberry with libreelec, all works fine. But there is one thing that concerns me. at the moment it is configured to create all required routes automatically, means, he can also access the internet with his raspberry. Thats fine for me, but that also means, he can access my network, which makes me a bit afraid. I am wondering what is an easy but still good solution now, so the traffic is forwarded to the wan interface, but not in the lan. Should i create a complete new zone or a single firewall rule? At least i guess its only one iptables command, something like iptables -A FORWARD --dest-iface wan --src-ip -j ACCEPT (dont know the 100% correct syntax now).
I thought i create a new rule in luci's firewall traffic rules, Forwarded IPv4 and IPv6, protocol ICMP/TCP/UDP From any zone, IP To wan.
But somehow it does not work, so probably there is more required?

If you have added the WG interface to the LAN zone you might try to set the FORWARD chain in the LAN zone to REJECT instead of ACCEPT

Mind you if you now have access to your fathers router this might also block that.

Otherwise please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

The simplest way would be to move the wireguard tunnel into a new zone, and have only one config forwarding that allows that zone to forward to wan.

thanks, thats what i did now and it works perfectly!
created a new zone, input on reject and allowed only tcp 4022 (thought its 4004 but was 4022) on input allow as separate rule.