it´s possible to block the Hotspotsystem from the Local Network.

In DD-WRT i made the following Settings:

Go in the Admin / Diagnose-Tab and set the Following IPTABLES-Rules in the Windows and then
“Save as Firewall” – It works perfect on my Routers. Nobody have Access to Local Network and the Admin-Page.

Normally You don´t need the DROP-Lines for telnet, ssh, www and https, because the 192.168.0.0/16 Drops it all,
so the Access to other Hotspot-User in the 192.168.182.0/24-Network is blocked too. But Secure is secure 😉

#——————————————————————————————

## ISOLATION HOTSPOTSYSTEM FROM LOCAL NETWORK
iptables -A FORWARD -i tun0 -j DROP

#Blocking Access to Local Network from Tunneling-Adapter
iptables -t nat -I PREROUTING -i tun0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -j DROP

# Blocks Access to the typically “Private IP-Adress-Range” (You can set more Lines with additional IP-Ranges)
iptables -t nat -I PREROUTING -i tun0 -d 192.168.0.0/16 -j DROP

# Blocks Access to the Router from the Hotspotsystem IP-Range, exect 3990 (Radius, Important for Logon and Logoff)
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -p tcp –dport telnet -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -p tcp –dport ssh -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -p tcp –dport www -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -p tcp –dport https -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -p tcp –dport 3990 -j ACCEPT