So I'm new to the forums, but have been lurking on and off for a while and have been using Tomato for a few years too. This is the first time I've needed the functionality of VLANs and have already set one up on my RT-N16 running a Shibby mod of Tomato and it seems to be working as designed. I set it up like this: 1. In Basic->Network I have br0 as 192.168.11.0 and br1 as 192.168.22.0 with DHCP enabled on both but for the range of one IP only for br1. 2. In Advanced->VLAN I have VID 0 as port 2-4 checked with br0 assigned, VID 1 as WAN checked with WAN assigned, and VID 2 as port 1 checked with br1 assigned. Port 1 (br1) is connected to another router's WAN port running Tomato as the guest wireless network, it gets an IP assigned by the RT-N16 and has a basic setup on it. Everything is working as it should, where the guest router gets internet access but nothing else. I can ping the RT-N16 from both sides as well, so I tried to disable that on the guest router by adding these iptables rules to the firewall script page (some rules for denying too many connections are there as well): Code: iptables -I FORWARD -p tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 50 -j DROP iptables -I FORWARD -p ! tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 25 -j DROP iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT iptables -I INPUT -i br1 -d 192.168.11.1 -j DROP iptables -I INPUT -i br1 -d 192.168.22.1 -j DROP I haven't had a chance to test them out yet, but I don't think those might have a problem. So, my QUESTION is: How and what rule can I add to be able to access the guest router from br0 (the default LAN on the RT-N16), but not let br1 have any other access than it already does? I'd like to be able to manage the guest router from br0. I assume an iptables rule would work, but I tried these 2 rules that I found elsewhere in the firewall script (not at the same time), and they didn't do anything: (192.168.22.2 is the guest router's IP) Code: iptables -I FORWARD -p tcp -o br0 -d 192.168.22.2 -m state --state NEW -j ACCEPT OR Code: iptables -I FORWARD -p tcp -i br0 -s 192.168.11.0/24 -o br1 192.168.22.2 -j ACCEPT The second rule didn't even show up in the iptables. Any help would be appreciated, iptables are a bit foreign to me.