One thing, since you don't have any rule to allow LAN (192.168.1.0/24) access to SRM on TCP/443 then the firewall isn't stopping local access to SRM web interface.
This is what I wrote on 'the community' three weeks ago.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The firewall rules are applied from the top of the table to the bottom, until one matches the source/destination/protocol/port criteria and then the action is taken.
As such, it takes more processing to make a hit lower in the policy so if you have high volumes of connections of a particular type then try to place it high up. Obviously, do this without compromising the overall security of your device.
You don't want the first rule to be any/any/any/any = deny because that blocks every thing to the router (from inside and out [well probably inside, try it and report back if you had to reset the router!]). You can set the bottom four rules to do the blocking after you set the policy rules you want.
My home
RT2600ac policy is set like this:
- Things I want to block from everywhere: at present I don't have any
- Local subnets can access, define as needed for LAN and VPN servers but these are the most they should be (we can guarantee these IP won't come from the Internet because of RFC 1918, but your ISP modem/router may use a subnet in these ranges to assign the SRM's Internet IP via DHCP):
- 192.168.0.0/255.255.0.0 : TCP+UDP, All / All / All, Allow
- 172.16.0.0/255.240.0.0 : TCP+UDP, All / All / All, Allow
- 10.0.0.0/255.0.0.0 : TCP+UDP, All / All / All, Allow
- One or more rules for countries I want to block: Deny selected countries
- Everywhere to SRM for most apps, except VPN: Deny selected apps to SRM
- Inbound SMTP from my email host's SMTP servers: Allow SMTP ports to my server
- Inbound SMTP from any other SMTP servers: Deny SMTP ports to All
- VPN services (enabled only if I use them)
- service that are listed: TCP+UDP, All / All / VPN apps, Allow
- VPN Remote Desktop: TCP+UDP, All / All / my RD port, Allow
- Automatically added rules from the port forwarding page
- The four default rules all set to deny.
The Country block rules can go at the top if you like but local subnet rules get more hits.
The step 2 rules can be slimmed down to be just the subnets you actually use for your LAN/WLAN and VPN services. I use 192.168.0.0/255.255.240.0 to cover local services but it excludes the Virgin Media subnet on the outside of my SRM router.
Rules in step 2 take precedence over steps 3 and lower, so the LAN/WLAN clients can access the router and other home devices (including VPN clients that are connected). I don't want external access to the router, except from those Internet locations that haven't been blocked for VPN services.
The automatic rules added for port forwarding then allow the same type of filtered access as the SRM's VPN service (e.g. no access from countries I want to block), but for my internal servers as the destinations.
I add rules between 3 and 4 for specific IP and ranges that I see are being very active and need to be blocked. Often Threat Prevention is already dropping them and the firewall rule will block for alert-level threats that aren't dropped ... just to reduce the noise in TP log.