Hello,
The easiest solution here would most likely be to separate SIM1 and SIM2 zones in the firewall rules and then deny internet access to LAN devices from SIM2. To achieve this:
- Navigate to Network → Firewall → General settings.
- Add a new firewall zone;
- Name: SIM2;
- Input, Output, and Forward: reject;
- Masquerading and MSS Clamping: enabled;
- Covered networks: mob1s2a1;
- Leave Inter-zone forwarding empty;
- Save & Apply
- Open the wan zone settings and remove mob1s2a1 from the covered networks;
- Open the lan zone settings and remove SIM2 zone from Inter-zone forwarding;
- Navigate to Network → Firewall → Traffic Rules and create a rule:
- Type: Add new forward rule;
- Name: SIM2_WebUI_SSH;
- Source zone: SIM2;
- Destination zone: lan;
- When the advanced configuration opens:
- Change protocol to TCP;
- Source zone to SIM2;
- Destination zone: Device (input);
- Destination port: 22, 80;
- Save & Apply;
- Create a second rule, to block the rest of SIM2 traffic (order is important):
- Protocol: Any;
- Source zone: lan;
- Destination zone: SIM2;
- Action: Reject;
Keep in mind, that with this configuration, the device itself will not be able to reach the internet, only you'll be able to access the device using it's public IP.
For a good measure, the router can be restarted, and the configuration can be tested.
Best regards,
DaumantasG