Two ideas for you:
Idea one, here's what I do to prevent access to other local subnets:
- Create a ruleset for inbound trafic, here's mine for two guest subnets
Image may be NSFW.
Clik here to view.
- copy my rules (I know that the ruleset above has 6 but only the first three are relavant
Image may be NSFW.
Clik here to view.
- create the network group that you see above before you create the rules above ... any networks that you enter in the group will not be reachable from any networks (VLANs) that have this ruleset on their interface on the inbound direction.
Did that make sence?
Here are the details of the rules ... only the parts that aren't visible above are shown:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
- Idea two, instead of the rules above, put only one in the ruleset. This rule would drop trafic to a destination Address Group. The Address Group should contain all of the gateway IPs that would allow access to your router.
Idea one is tested. I use it to isolate guest vlans from the rest of the network and only allow internet access. Idea two will only prevent access to the router but not other hosts on other vlans.
