Pass firewall rule allowing extra access

[nr124]

Hello – I’m admittedly a bit of a rookie and after much forum reading am stumped by a firewall rule meant to isolate one of my VLANS. 

Setup: router on a stick with 3 VLANS/interfaces setup on switch (WAN, LAN, IPCAM)

Desired Behavior:  I want to isolate IPCAM, blocking internet access and blocking access from any other device on the network except one IP (192.168.1.24)

I have the following two rules set up:
Action: Pass
Direction: out
Source: 192.168.1.24/1
Destination: IPCAM net

Action: Block
Direction: out
Source: VLAN net
Destination: IPCAM net

Instead of the desired behavior where I’m allowed access to one of the IP addresses on IPCAM only from 192.168.1.24, I’m allowed access from any IP on my VLAN and logs state that it's that first rule allowing it.  Any help or push in the right direction would be greatly appreciated!

[Patrick M. Hausen]

You beed to put IN rules on the interface where the connection originates. And a single host like 192.168.1.24 takes a /32 netmask.

Could you try to explain more clearly? Which IP addresses are on which interface? We need all IP networks on all VLANs to come up with the proper rules ...

[nr124]

Thank you!  It looks like changing to /32 cleared it up.  I also have both in and out rules set up.  Logs and behavior look appropriate with the changes you outlined.   

For completeness in case you see something else glaring, I've attached my switch setup.

the IPCAM interface has ip's from 192.168.80.*
the LAN interface has ips from 192.168.1.*

Thank you again for such quick help and understanding with that mistake!