After installing ceroWRT the first thing I did was to reconfigure the firewall as shown attached. My router is used as home gateway and I wanted to lock down the device a bit.

The changes are introduced are as follow:

- LAN (s+) to/from GUEST (g+) is not allowed.

- GUEST to ROUTER is restricted to DNS/DHCP/NTP.

- I've tuned the basic IPV6 rules to take the above changes into account and allow proto 41 INPUT for 6to/in4 tunnels.

- LAN to/from ROUTER everything is allowed.

This could be a nice default config.

Feedback welcome.