Blocking admin access via VPN

I have a GL-AR300M16 (AKA SHADOW)
I setup up a wireguard VPN SERVER. So, now for example I can use my phone to access devices in my home (such as a camera or PVR)

However I realise I can also access the Web Console of the Router. This means anybody who gets into my VPN can promptly reconfigure the router.

It would seem the easy way to stop this would be to change the firewall rules. Specifically the INPUT chain of the iptables, such that INPUT would only goto ACCEPT if the source were the LAN/WLAN …anyhow NOT WIREGUARD.

Now the SHADOW box has a GUI FIREWALL config. It looked straightforward. There is a page “Firewall - Zone Settings” with 4 zones


So I all needed to do was turn off the “input=accept” pulldown …so traffic from wireguard will be forwarded (to LAN or WAN) but won’t be accepted (locally) on the “shadow” box. I can do this but as soon as I select save&apply it get reset to “accept”.

I’m guessing there is some kind of sanity check being applied an my rule is being reset. I can love with doing this another way, I just need to block wireguard traffic from access to the Shadow box.