As a workaround I have configured the following:
In the WebGUI: Network -> Firewall -> Custom Rules
/usr/sbin/iptables -I FORWARD -i br-lan -o wwan0 -j DROP
This adds an extra firewall rule on the first position, dropping any traffic from lan to wan, before it hits the ACCEPT ALL rule.
root@Teltonika-RUT240:~# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 858 DROP all -- br-lan wwan0 0.0.0.0/0 0.0.0.0/0
0 0 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: forwarding * -> * */
0 0 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_vpn_forward all -- tun_+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_l2tp_forward all -- l2tp+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_l2tp_forward all -- xl2tp+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_pptp_forward all -- pptp+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_gre_forward all -- gre+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_hotspot_forward all -- tun0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_hotspot_forward all -- tun1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_hotspot_forward all -- tun2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_hotspot_forward all -- tun3 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_sstp_forward all -- sstp-+ * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */