NewOwnerOfKeeneticRouter

That is right, it is set up as a access point with another extender just for wifi.

The feature firewall rules is not available in AP / extender mode. Therefore, access can‘t be restricted. There is no other way to block mac or ip addresses. Apart from that, to make use of a firewall rule seems to be just a workaround for me. In router mode, one can switch a segment to security-level „protected“. That does prevent access to management services of the device. This very same feature in AP / extender mode would be a much better solution. Unfortunately, it is not available in the OS in AP / extender mode right now. This was confirmed by Keenetic support. My request was already reviewed by Keenetic support. To implement this as a new feature, they suggested to post it in the forum in order to get additional votes from other users for my request. If there is interest from other users it would help.

This would work in router mode. Unfortunately, in AP / extender mode one can‘t set any firewall rules nor can one switch the security-level to „protected“

A nice security feature would be to restrict access to the admin GUI e.g. to the Home segment when the device is set to access point / extender mode. At the moment, when a client is e.g. logged on to the guest network, they can scan IP addresses and thus get access to the GUI landing page and try passwords. Worse, they know or find out the password. Other pro equippment usually offers the possibility of a management network or similar. This would decrease the risk e.g. for wireless attacks as the admin would be able to access the device via LAN only. Quite clearly, a webpage randomly asking for ssid/ login credentials would be an attack then.