====== Disable Administrative Access (SSH/GUI) to Guest VLAN/WLAN ====== The default settings allow access to the router's administration ports (SSH and HTTP/S) from all configured VLANs/WLANs. If you don't want communication on a certain VLAN or WLAN, you can filter out access to its ports using the following script in the //Firewall// field of the [[https://wiki.freshtomato.org/doku.php/admin-scripts|Scripts]] menu: \\ \\ iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT \\ \\ The bridge number ("br1" in this example) represents the interface on which you want access disabled. Double check the [[basic-network|Network]] menu to be certain. **Avoid filtering on bridge "br0"** to avoid locking out access to the router. If you use non-standard port numbers, you can change the port numbers above from the standard ones (typically: 22,80,443). If you have multiple bridges or guest VLANs, you can add additional lines and change the relevant bridge interface names. The command will take effect as soon as the next run of the firewall script. You can force the command(s) to take effect manually by logging on to the router and typing the command: "//service firewall restart" //or by rebooting the device. \\ \\