Specifically, look under “Firewall zones” and Interface and Firewall overview"
The line that particularly caught my eye was “Traffic from the lan zone is only allowed to exit masqueraded through the ipr zone. Masquerading on the wan zone is disabled.”
There is only one forward rule like this. No data is forwarded to WAN so this is how data will not goes to WAN. If you don’t check “force vpn” in our web UI, data will Masquerade in WAN.
config forwarding
option dest 'ipr'
option src 'lan'
masquerading is necessary for NAT so that is why WAN has to enable masquerading.
Don’t enable ACCEPT in WAN. If you enable ACCEPT, it means the router can accept connection from the WAN, e.g. 22 or samba. That means all port is opened in WAN and your router is under serious risk.
Think about the “wanna cry” virus this week. It will try to use samba port and spread itself. While if you have a router above your PC, you should not be affected.