Guest Wifi без достъп до лан мрежата

[walkingcurs3]

Здравейте искам да блокирам мрежата за гости да няма достъп до мрежата в който има Nas сървар. Обаче не ми се получи нещо 

VPN - 192.168.20.0/24

LAN - 192.168.10.0/24

GUEST - 192.168.30.0/24

Прилагам и конфигурация на firewall-а интересното че тези правила работеха преди....

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow HTTPS" dst-port=443 log=yes protocol=tcp
add action=accept chain=input comment="Allow winbox" dst-port=8291 log=yes protocol=tcp
add action=accept chain=input comment="[Custom] allow connections from VPN network" log=yes src-address=192.168.20.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.30.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

 

[JohnTRIVOLTA]

/ip route rule

add src-address=192.168.30.0/24 dst-address=192.168.10.0/24 action=drop table=main

add src-address=192.168.30.0/24 dst-address=192.168.20.0/24 action=drop table=main

 

 

[yHuKyM]

 

Блокираш им всичко от GUEST към различно от WAN

/ip route firewall filter

add action=drop chain=forward comment="block guests to everything but wan" in-interface-list=GUEST out-interface-list=!WAN