So I've successfully configured a virtual wireless SSID/Guest wifi network. By putting it on it's own VLAN, a device on that wifi LAN can't access any devices on the main network br0. With one exception, you can still access the IP of the router itself. Since my guest wifi password isn't super strong (to make it easy for people to type), I feel like I'm exposed as my router password is also fairly simple since it's behind my firewall. I know, I could make the passwords more complicated, but I know I can solve this. I'd like to create an access restriction for any device in the guest wifi range, in this case 192.168.111.1-192.168.111.50 (the dhcp range) from accessing the IP of the router on the other LAN. Basically I'd want it to just drop the request and do nothing (timeout). I've tried a bunch of rules, but none seem to work. I'm not sure if I'm doing something wrong, or perhaps it's just a bug in the firewall for Tomato. Any ideas? Thanks!