AdvancedTomatoFirewallSecureVLAN.sh

#!/bin/sh
PORT_DHCP="67"
PORT_DNS="53"
SHINOBI_IP="192.168.9.10"
 
STATE_NEW="-m state --state NEW"
REJECT="REJECT --reject-with icmp-host-prohibited"
REJECT_TCP="REJECT --reject-with tcp-reset"
 
# limit guests to essential router services (icmp echo/reply, dhcp, dns)
iptables -I INPUT         -i br1 $STATE_NEW -j $REJECT
iptables -I INPUT -p tcp  -i br1 $STATE_NEW -j $REJECT_TCP
iptables -I INPUT -p icmp -i br1 -j ACCEPT
iptables -I INPUT -p tcp  -i br1 --dport $PORT_DNS -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport $PORT_DNS -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport $PORT_DHCP -j ACCEPT
 
# deny access to private network by guests (internet only)
iptables -I FORWARD        -i br1 -o br0 $STATE_NEW -j $REJECT
iptables -I FORWARD -p tcp -i br1 -o br0 $STATE_NEW -j $REJECT_TCP
 
# deny access to guests by private network (optional)
iptables -I FORWARD        -i br0 -o br1 $STATE_NEW -j $REJECT
iptables -I FORWARD -p tcp -i br0 -o br1 $STATE_NEW -j $REJECT_TCP

#allow access to Shinobi
iptables -I FORWARD 1 -d $SHINOBI_IP -j ACCEPT
iptables -I FORWARD 1 -s $SHINOBI_IP -j ACCEPT

This gist relates to this video: https://youtu.be/Tqedi2Qruds

thank you! great video, it helped me segregate my network using pfSense and a few ac68u as AP!