new lan not getting access to internet

[passeri]

Try this instead of your current rules:

Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.

Create a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.

I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.

Edited to mention Pass and Block

[Seimus]

Segregation is achieved via splitting up the networks, either L2 via VLANs or L3 via Networks, both of them are usually used in together.

If you have split networks for LAB and LAN, assuming you have 2 L3 Interfaces for each specific Network. Firewalls essentially filter traffic in two directions INbound and OUTbound. By default INbound has implicit DENY on the interface/zone, you need to create a INbound RULE on the specific Interface to ALLOW traffic you want (OUTbound is by default ALLOWed).

Currently those RULES you have in place only ALLOW traffic for ICMP towards this Firewall.

Regards,
S.

[bloodyskullz]

Try this instead of your current rules:

Create an ACL containing all local (RFC1918) address ranges which you do not want addressed from the LAB, assuming it is this one you want isolated (else as applicable). I'll call it no_go for the example.

This confused me, I know what an ACL is but the RFC stuff made me go blank.

Create a Pass rule for your LAB interface: direction in, source/invert unchecked, source any, dest/invert checked, dest "no_go", dest port any.
This will give access to the WAN and to anything not in your no_go ACL.
You can add a Block rule below which is source "LAB net" dest any to catch anything else.

I use this for my IoT which is allowed out to WAN and nowhere else, with nothing incoming to it. I can still access IoT devices from LAN of course.

Edited to mention Pass and Block

Currently I only have LAB and LAN so ultimate go is LAB = internet access and nothing else in LAN

LAN = Access everything else.

By your suggestion of the rules, i could substitute no_go for LAN net (hoping I understood all that correctly).

[passeri]

Sorry 

RFC1918 is short for these addresses to enter in your no_go ACL: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
It is discussed under “Private network” on Wikipedia.

Remember to invert that ACL destination. Source is any, IN to the Lab address.