The default settings allow access to the router's administration ports (SSH and HTTP/S) from all configured VLANs/WLANs.
If you don't want communication on a certain VLAN or WLAN, you can filter out access to its ports using the following script in the Firewall field of the Scripts menu:
iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
The bridge number (“br1” in the example) represents the interface on which you want access disabled. Double check the Network menu to be certain. Avoid filtering on bridge “br0” to avoid locking out access to the router.
If you use non-standard port numbers, you can change the ports used above (22,80,443).
If you have multiple bridges or guest VLANs, you can add additional lines and change the relevant bridge interface names. The command will take effect as soon as the firewall script next runs.
You can force the command(s) to take effect manually by logging on to the router and typing the command: “service firewall restart” or by rebooting the device.