[millerbee]

I'm adding a new DD-WRT router to my *internal network* with wifi radios disabled. The goal is to isolate all traffic on the new subnet to be Internet-bound only.

I want to disable web admin GUI access from the LAN side and only allow GUI access from the WAN side. I've got the WAN side opened up via the appropriate admin options but now I want to close down the LAN side.

[Coolidge]

Did You try unchecking both "Administration/Web access/http and https" chekboxes but leaving "Administration/Remote access" enabled?

[Alozaros]

hmmm i hope you know what you are doing... and there will be a good set of firewall rules to protect, when you open GUI on a Wan side....
do expect a lot of attacks if you expose GUI on WAN side
make sure you change default ports for telnet and ssh and do key lock it with receipted key

by default the local microserver listens on port 80 so, closing down port 80 on local side will restrict any access to it...

add this to firewall script
iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT

[millerbee]

Target network topology is:

ISP -> DD-WRT router 1 (no open inbound ports) -> LAN -> DD-WRT router 2 (the one being set up) -> new isolated subnet

Only the LAN will have access to the WAN side of the second DD-WRT router. WLAN on router 1 can only head out to the Internet and has no access to the LAN. Only two machines exist on the LAN, both of which are strictly controlled. Unless you know something I don't, there shouldn't be any particular danger of attacks against the second router?

Thanks for the iptables rule. Exactly what I was hoping for.

[egc]

One step further then the rule from @Alozaros is rejecting everything but the necessary DNS and DHCP and ICMP by adding the following: