Traffic between devices in different VLANs is blocked by default, you don't need additional firewall rules for that. But any device from any VLAN can ping the router's IP address on all VLAN interfaces.
Let's say you have two VLANs:
- Network: 192.168.1.0/24; router IP: 192.168.1.1
- Network: 192.168.2.0/24; router IP: 192.168.2.1
In this scenario devices from 192.168.1.0/24 cannot ping devices in 192.168.2.0/24 and vice versa (so no additional rules needed. But, for example, if you ping 192.168.2.1 from a device that's in the 192.168.1.0/24 network (or vice versa) - the ping will work. If you wish to block specifically that, you must block input on each interface for destination.
If we continue the example above, you would need to add these rules to the Network → Firewall → Custom Rules page:
- iptables -I INPUT -i br-lan -d 192.168.2.0/24 -j REJECT
- iptables -I INPUT -i br-lan_lan2 -d 192.168.2.0/24 -j REJECT
Where br-lan is the default LAN interface name and br-lan_lan2 is the LAN interface that I created manually. (You can check the names of LAN interfaces in Network → VLAN → LAN Networks.)
If you have three interfaces instead, you will need to block 2 destinations on each interface, i.e., 6 rules total.
If you're having trouble with this, you can send the router's Troubleshoot file (can be downloaded from System → Administration → Troubleshoot) via private message and can help you create the necessary rules. Just tell me which addresses aren't supposed to communicate with each other.