hmm, you sure you misremembered? Because I have a brand new Beryl AX, I did not mess with firewall in LuCI, the rules look like this:
but somehow, guest is able to ping lan clients...
Also, I've set up VPN to my home network in the native UI as VPN Policy Based on the VLAN and ticked "Enable VPN" only for the "Private" VLAN . The guest is unable to reach my home network. How is it possible that it's allowed into lan?
One note: VPN client has "Remote Access LAN" enabled, so my home network can talk to beryl lan. I was thinking that maybe somehow it goes guest -> home network via vpn -> lan, but traceroute shows that there's only 1 hop in between: the guest interface of Beryl. Also, it wouldn't make sense since guest cannot into VPN...