Flint 2 on 4.5.8 here. I noticed that the Guest Network has access to zones it probably shouldn't have access to by default. I.e. Guests have access to LAN and all VPN zones (even those added later), instead of just WAN.
In my opinion, most owners of a router would want the guest network to not only be isolated from other guest clients (AP isolation, which I have turned on) but also be isolated from all zones other than WAN.
Even worse, the only way to change this is through LuCI, which the average user won't go to.
Perhaps this either merits a change in default behavior or another checkbox next to AP Isolation called "Isolate from all other zones".
Guest Wi-Fi is isolated from the normal Wi-Fi and LAN by default. Other zones, if you create them manually, might be not affected - because you manually changed configuration.
So either you found a bug (unlikely) or there is some configuration issue with your device.
Thanks for the response! Out of the box, the guest network also had access to LAN, which I had to remove manually in the LuCI firewall settings. When I later added an OpenVPN Client and WireGuard Client connection in the GL.iNet UI, access to those were also granted to the Guest network by default, which in my opinion should not have happened.
Then when I added VPN Clients, they also showed up under guest, just like in your screenshot.
Why would I want guest networks by default routed through a VPN client connection? That VPN connection may be a sensitive remote LAN of mine that also should be off limits to guests.
Either way, I propose a checkbox in the Guest Network configuration to say "isolate from all other zones" or something like that, so that no one has to go into LuCI to verify what zones guests have access to.
Edit: I misremembered regarding guests having access to LAN, my bad. It was the other way around, LAN didn't have access to the Guest network, which I had to change in LuCI. I apologize for this particular non-issue. This was important for me, as I had my IoT devices on the Guest network and needed access to them from LAN.
My other recommendation regarding giving a choice in the GLinet UI to not give guests access to other zones besides WAN is still something I think is a good idea.
Also, I've set up VPN to my home network in the native UI as VPN Policy Based on the VLAN and ticked "Enable VPN" only for the "Private" VLAN . The guest is unable to reach my home network. How is it possible that it's allowed into lan?
One note: VPN client has "Remote Access LAN" enabled, so my home network can talk to beryl lan. I was thinking that maybe somehow it goes guest -> home network via vpn -> lan, but traceroute shows that there's only 1 hop in between: the guest interface of Beryl. Also, it wouldn't make sense since guest cannot into VPN...
