I am looking to slowly replace my WiFi access points.
I like the flexibility that OpenWRT provides and would be open to buying something like an MT6000 or AX1800.
One of the nice things that I would like to be able to do is to be able to log in to the admin account from a WAN connection but not from the LAN connection.
The reason for this is because the WAN is never going to be exposed directly to the Internet but is in fact a backbone LAN connection, from which I would like to be able to log in to admin from other PCs on that backbone. On the other hand I do not want to expose the Admin account to connections coming in on WiFi, as I consider WiFi connections to be less secure than the backbone LAN.
Is this something one can configure on the within the MT6000 or AX1800?
Yes, I want to access Admin from the WAN (not the Internet, merely PCs sitting on the WAN before it gets to the Internet router), and I know most systems will allow that easily enough. The additional factor is that I want to block access to Admin from WiFi, and it is this latter part that is not always available.
All the steps above will be enough to get it working - but there is no nice switch inside the GUI to allow it. So adjusting the firewall in LuCI is definitely necessary.
Basically it consists of creating a new interface via luci -> network -> interfaces in luci with a different range and firewall zone, and then point wifi to this interface via luci -> network -> wireless, and you need to forward the new firewall zone to wan.
Then you can just block access through the firewall towards the router you can do that aswell with a traffic rule which looks like:
src: wlan0 (this is the new zone from the other interface)
dest: this device
target: reject
As I said in my original post, I have not yet purchased the new devices (there are other GL-iNet devices I have purchased for other use cases, but this is yet to be a future purchase). At present I just wanted to assure myself there was a path to achieving what I desired (even if maybe not as simple as I would have wished for), and may well be asking more questions after the purchase as to the implementation details.