Spitz AX don't want to burn through 5G quota

I've searched google and these forums and I haven't been able to find an answer for this.

I have a GL-X3000 Spitz AX router. Is there a way to setup the 5G/cellular WAN interface for access to the WireGuard client and external management interface access only. I.e. LAN clients are blocked from accessing the 5G/cellular WAN.

What I'm trying to setup is:

-The Wi-Fi repeater is the primary WAN, LAN clients can access this, the WireGuard client and the management interface can also be accessed externally through this.
-If the Wi-Fi repeater goes down, I want it to fail over to the 5G/cellular WAN however, because it only has a small amount of data quota. I want to only use it to connect to the Management interface externally (via the WireGuard client) so I can remote in and trouble shoot the Wi-Fi repeater. I don't want any LAN clients to use the 5G/cellular WAN as they would quickly use up all of the limited 5G quota.

Please let me know if there is a way to set this up?

Hi,

If you don't want LAN access to 5G/cellular-wan, try adding this rule in Luci > Network > Firewall > Custom Rule: iptables -I FORWARD -i br-lan -o wwan0 -j REJECT

"wwan0" is the name of the cellular interface and needs to be replaced according to actual conditions.

Thanks Bruce, will this still allow 5G/cellular-wan access to the web interface of the router?

Yes it is

I tried adding the custom rule: iptables -I FORWARD -i br-lan -o rmnet_mhi0 -j REJECT and it blocks LAN clients from accessing the internet when 5G/cellular-wan is active which is good, however, LAN clients can still access the WireGuard client tunnel.

I think this would need a combined rule where 'if' connected to 5G/cellular-wan block access to the WireGuard tunnel interface? With an exception to let the router web interface through.