The 'Deny Local LAN' function located under Configure > Firewall & traffic shaping blocks access from Wireless clients on specific SSIDs to the Local LAN. For the purposes of this firewall rule, Local LAN is described as any destinations in the following private address spaces:
Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients.
A common usage for this would be the "guest SSID" scenario. Changing the Policy for traffic destined to the Local LAN from Allow to Deny prevents clients on the Guest SSID from accessing the LAN but still allows connections to the Internet. This feature can be used in both Bridge Mode and NAT Mode.
1. Navigate to Configure > Firewall & Traffic Shaping
2. Select the SSID
3. Change the Policy for the row with Destination as Local LAN from Allow to Deny
4. Click Save Changes at the bottom of the page.
If the clients on this SSID need connectivity to other LANs on these subnets you will need to configure an additional Layer 3 firewall rule to allow traffic to that subnet and order it above the Local LAN rule.
Additional Layer 3 Firewall Rules
Create additional Layer 3 firewall rules to manipulate traffic outbound from the SSID. The policy, protocol, destination, and port number must be defined. "Any" is a valid Protocol, Destination and/or Port.
1. Click Add a layer 3 firewall rule
2. Specify Policy, Protocol, Destination and Port Number
3. Click Save Changes at the bottom of the page.