GL-MT2500 - VPN Server - How to block access to internal network

How to block access to internal network from vpn clients?

The option “Allow Remote Access LAN” It doesn’t do anything, it’s irrelevant whether it’s on or off.

What am I doing wrong?

It is connected to a Unifi Dream Machine Pro.

You can set the INPUT of the corresponding Zone to DROP in the LUCI->Network->Firewall

I have the Bruma 2 connect to a Unifi Dream Machine Pro vi wan port.
Dont have a LUCI.
I can put a rule in the Bruma 2 firewall to block vpn users from access my network and just get access to net?

What I like to do if possible is allow same users to the internal network and others just to use the IP to get net access.