The 'Deny Local LAN' function located under Wireless> Configure > Firewall & traffic shaping blocks access from Wireless clients on specific SSIDs to the Local LAN. For the purposes of this firewall rule, Local LAN is described as any destinations in the following private address spaces:
Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients.
Note: When creating networks, the first SSID is auto-created using the Network's name. The default configuration of the SSID will be NAT mode (Wireless > Configure > Access Control > Client IP and VLAN) and a Deny Local LAN rule will be active (Wireless > Configure > Firewall & traffic shaping > Outbound rules).
If you intend to use the auto-created SSID for internal LAN clients ensure to change the Layer 3 firewall rule to Allow Local LAN. Neglecting to do so will prevent clients from communicating with internal resources including RADIUS servers.
A common usage for this would be the "guest SSID" scenario. Changing the Policy for traffic destined to the Local LAN from Allow to Deny prevents clients on the Guest SSID from accessing the LAN but still allows connections to the Internet. This feature can be used in both Bridge Mode and NAT Mode.
1. Navigate to Wireless > Configure > Firewall & traffic shaping
2. Select the SSID
3. Change the Policy for the row with Destination as Local LAN from Allow to Deny
4. Click Save Changes at the bottom of the page.
If the clients on this SSID need connectivity to other LANs on these subnets you will need to configure an additional Layer 3 firewall rule to allow traffic to that subnet and order it above the Local LAN rule.
Additional Layer 3 Firewall Rules
Create additional Layer 3 firewall rules to manipulate traffic outbound from the SSID. The policy, protocol, destination, and port number must be defined. "Any" is a valid Protocol, Destination and/or Port.
1. Click Add a layer 3 firewall rule
2. Specify Policy, Protocol, Destination and Port Number
3. Click Save Changes at the bottom of the page.