I'm running Shibbys latest tomato build and am seriously impressed with the project, its simply awesome. As part of my configuration I've set up two ssids for guest wireless access, one is on 192.168.254.x (Guest Wireless LAN1(br1)) and the other is on 192.168.1.x (Main LAN LAN(br0)). 3 VLANS are configured:- 1 bridged to LAN (br0) 2 bridged to WAN 3 bridged to LAN1 (br1) Wireless bridge settings are as follows:- Bridge eth1 to LAN(br0) Bridge wl0.3 to LAN1(br1) Essentially I want br0 to have access to everything but br1 to only have basic internet access, particularly I don't want br1 to gain any form of access to br0 e.g. a 192.168.254.x address shouldn't be able to ping 192.168.1.22 ... thing is it does even with the following iptables rule entries in. Code: #Removes Guest Access To Physical Network iptables -I FORWARD 1 -i br1 -o br0 -m state --state NEW -j DROP iptables -I FORWARD 2 -i br0 -o br1 -m state --state NEW -j DROP #Removes guest access to the router config iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset #Allow br1 to access http/https to internet iptables -I FORWARD 3 -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -I FORWARD 4 -i br1 -m state --state ESTABLISHED,RELATED -j ACCEPT #Drop everything else on br1 iptables -I FORWARD 5 -i br1 -j DROP If I connect on the br1 guest wifi access with my mobile I get the correct DHCP allocated address but I can ping out from Net Analyzer Lite to a 192.168.1.x address. Whats strange is that if I do the same, but from a windows machine I don't get a reply when pinging the mobile. Do the above iptables look okay? Am I missing something?