Omada software controller on Docker Container - FW 5.9.31

ER7206 v1.0 FW 1.3.0

About to launch some MVP/prototype products which rely upon VPN for data dumping. Created a VLAN for isolation as these will be out in the field. Enabling v disabling DHCP server doesn't affect outcome.

Applied a stateful ACL to isolate this VLAN. 'States Type' auto v manual doesn't affect outcome.

Created two OpenVPN servers, one with full access for myself. The restricted's IP pool is assigned to the same subnet as the VLAN.

I can connect and am assigned an IP on subnet 192.168.254, but am able to ping/access hosted services on subnets 0, 2, and 3. Since a traceroute from my phone with the restricted VPN profile showed the first hop as 169.254.x.x/16, I tried changing the restricted VLAN to 169.254.0.1/16, but that still didn't prevent access to the other subnets.

Are stateful ACLs implemented for OpenVPN? Is there a different approach to isolating OpenVPN clients?