Some months ago I configured a OpenWrt WiFi router behind a Fritz!Box. A friend of mine told me that he is able to connect to other network clients outside of the OpenWrt guest WiFi.

The behavior is quite clear after a minute of reflection. The Fritz!Box is connected to the WAN port of the OpenWrt router ;)

firewall configuration

With the following zone configuration I was able to block the traffic between the FritzBox and the OpenWrt network.

Edit nano /etc/config/firewall

config zone
	option name 'public'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'public'

config forwarding
	option src 'public'
	option dest 'wan'

config rule
	option src 'public'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'
	option name 'Allow DHCP request'

config rule
	option src 'public'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'
	option name 'Allow DNS Queries'

config rule
	option src 'public'
	option name 'Deny FritzBox Network'
	option dest 'wan'
	list dest_ip '192.168.178.0/24'
	option target 'REJECT'
	list proto 'all'
	option family 'ipv4'

config rule
	option src 'public'
	option dest 'lan'
	option name 'Deny Guest on LAN'
	option proto 'all'
	option target 'DROP'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN http'
	option proto 'tcp'
	option dest_port '80'


config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN https'
	option proto 'tcp'
	option dest_port '443'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN pop3'
	option proto 'tcp'
	option dest_port '110'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN pop3s'
	option proto 'tcp'
	option dest_port '995'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN imap'
	option proto 'tcp'
	option dest_port '143'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN imaps'
	option proto 'tcp'
	option dest_port '993'

config rule
	option target 'ACCEPT'
	option src 'public'
	option dest 'wan'
	option name 'Allow Guest on WAN smtp'
	option proto 'tcp'
	option dest_port '587'

config rule
	option src 'public'
	option dest 'wan'
	option name 'Deny Guest on WAN'
	option proto 'all'
	option target 'DROP'