Sebastian Moeller <moeller0@gmx.de> writes:

>       I did not notice this even though my primary router furnishes
> cerowrt with 192.168.2.104 (but no additional subnets in there), the
> internet works and I can reach machines in the primary subnet just
> fine, so nothing to see here ;) Greart work Dave and Toke.

Yay!

Just to confirm:

1. What is the output of `ipset list` on the router?

2. What happens if you ping 192.168.1.1 (or some other address in a
private subnet, but not configured on any of your interfaces)?

> 	I guess having an easy way to set exceptions is really a good
> 	solution.

There's a BCP38 tab in the firewall config that allows you to input
subnet exceptions manually if needed. :)

-Toke