Hi,
I have a flint2 as main router and a MT3000 connected to it.
I'm using the MT3000 for guests and want to block traffic from the M3000 to the internal IP on the flint 2.
I'm currently using this rule but it's not working. Anyone can help me to troubleshoot the issue? Thanks
That will only block traffic from the MT3000 itself, which is not going to block guests (unless the MT3000 NATs all traffic so that it appears from 192.168.1.162).
Personally, I would make a new bridge interface and remove the lanN devices that are used for guests (such as the lan device/port to which the MT3000 is connected) from the standard lan bridge and move them to this new guest bridge. Then the guest bridge can have its own firewall zone and rules. (You could accomplish something similar with VLANs, but since it's at the device/port granularity, just moving them to a different bridge is much simpler.)
As an aside: in you rule you have set the destination zone to lan, but you can also set it to device which is the MT6000 itself, then you don't have to set the IP address. Also 192.168.1.1/24 is probably not what you want.
Turn destination zone to wan 
on the mt3000 not the flint2.
The flint2 has no control over subclients it only sees traffic originating from mt3000.
Though if you want the clients visible on the Flint 2 you want to look into vlans in some situations you want that but often for complex/advanced setups.
I think you are now fine with the rule on the mt3000.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.