I have an OpenWrt router. I am using luci to manage it. It is primarily being used as a wireless-wired bridge (WLAN client bridged to lan network and firewall zone so all devices can see each other), but it has two radios and I would like to set up a Wifi master on the second radio that acts as a local-only network - devices from the main network can reach and interact with devices on the local-only network, but devices from the local-only network can never initiate a connection out to the main network, and definitely never out to the internet. Kind of a reverse-dmz, I guess? Inside-dmz?

I tried creating a new Wifi master and putting it on the pre-existing wan network and firewall zone (currently not being used, since the WLAN client is on the lan network and firewall zone as described above), since the default "lan can get out to wan but wan can't reach into lan" behavior is what I want, but I can't ping any of the devices in the new Wifi network from the main network, I keep getting "packet filtered" from some non-local address (the ISP?). I tried adding a static route but that didn't work, so I either did it wrong or that isn't the problem.

I'm not too bad with computers and I understand basic networking concepts, but I get a little lost trying to translate that into what exactly to click on in luci (or, if it came to it, what to do from the command line, but I'd prefer luci). Can anyone describe how to accomplish this local-only network? I don't really care about DNS or DHCP on the local-only network, I just want to reach the devices without them reaching out.

I've spent a fair amount of time searching for this on stack exchange and the internet at large, but if there is anything describing this out there, it gets drowned out by information about setting up a dmz (reachable from internet or lan but can't reach into lan) or a guest network (can reach the internet but not the lan), which are not what I'm trying to do, I do NOT want this network to be able to reach the internet!