Yet I can connect from any IP in 10.40.116.0/24 to any IP in 172.16.16.0/24 (the opposite is also true) with the router masquerading the IP as 10.40.116.1 (172.16.16.1 the other way around).
Is that the expected behavior?
Doesn’t the masquerade rule explicitly state that only traffic to WAN should be allowed?
YOu are mixing up apples and oranges.
Source masquerade is typical NAT behaviour,
all your private LANIPs are given a source IP of the router (WANIP) on the way out the door so that any website only sees a source address of the public IP of the router.
The return traffic is translated back to private IPs upon hitting the router.
So source natting has nothing to do with allowing LAN to LAN traffic…
That is a combination of L2 traffic rules and L3 traffic rules.
Typically to separate traffic (mac addresses) at layer2, one can use different etherports, bridges, vlans etc…
To separate traffic (IP addresses) at layer3, one uses firewall rules on the router.
If you want the config reviewed to see where you are going wrong post the config
/export file=anynameyouwish ( minus the router serial # and any public WAN IP information )