If I have one device (192.168.12.5) on LAN interface that I want to prevent from accessing the internet and i put a rule (top rule #1) on LAN interface to:
Block
Protocol Ipv4*
Source 192.168.12.5 Port *
Destination ANY Port * Gateway *
The rule works and the machine cannot access the internet. But why does the following not work on the LAN interface?
Block
Protocol Ipv4*
Source 192.168.12.5 Port *
Destination WAN_net Port * Gateway *
Everywhere I have seen online shows the same technique for doing this (set destination to any). Why is this? I'm trying to block traffic from exiting the WAN from that IP. I would think that would mean my destination should be WAN net.
This rule will block all Ipv4 traffic from 192.168.12.5 to your ISP's WAN_net network segment, not the Internet.
The Internet is every ip address that's not: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
see: ietf-rfc1918
So, to block access to the Internet without using ANY destination, create an alias called something like PRIVATE_NETWORKS and use it in your rule like this:
Now, any Ipv4 traffic from 192.168.12.5, not destined for you private lan, will be blocked.
In second case you block traffic from 192.168.12.5 to wan subnet ( all IP you have configured in wan port) but allow other any IPs.