[kylehase]

I'm not sure if this is a bug or working as intended.

My primary network is 192.168.1.0/24 and guest (IoT) wifi on 192.168.2.0/24 with router on 192.168.1.1.

I have a few firewall rules enabling full access from primary LAN to guest LAN as well as limited access from guest LAN to the MQTT port on a primary LAN host. This all works perfectly so I'm hoping to refrain from posting my iptables but will post redacted if it is needed.

My goal is to enhance privacy by blocking Internet access for some IoT devices, so I enabled WAN access restrictions from the GUI for select IoT hosts. While it did work, it also blocked those hosts from reaching the MQTT server on the primary LAN. In other words, blocking WAN access doesn't just block WAN, it blocks all routing.

Is this a bug? Shouldn't WAN access restrictions only block exiting from WAN?
For now I will have to use iptables to achieve the same.


DD-WRT v3.0-r43904 std (07/23/20)
ASUS RT-AC68U

[egc]

As your firewall rules are probably only containing private IP addresses there is no need to hide them.

I never used those access restrictions but I took a quick look and there is no out interface set so it seems to block more than just WAN access.

Just use your own rule to block:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

I will transfer this thread to the appropriate forum (Advanced networking)

[kylehase]

Thanks for confirming how WAN restrictions are implemented. Given that it blocks more than just WAN, isn't that a bug?

In any case, I've used iptables to block output to ppp0 for those hosts.