Block IPs from internet access

[AxAn]

I'm trying to block some LAN ip addresses from accessing the internet.
I created an alias with one ip, for testing, and then created a blocking rule in Firewall: Rules: Floating for WAN but when testing the device can still access the internet.
If I'm changing the rule interface from WAN to LAN then it works (no access to LAN).
What am I missing?

[Patrick M. Hausen]

You need to create an inbound interface based rule on LAN, because that's where the packets of the device first enter the firewall. You practically never need outbound rules and very rarely floating rules.

[AxAn]

But if I do that then the device is also blocked from accessing the LAN, not only the internet, which is undesirable.

[Patrick M. Hausen]

No. Devices on the LAN communicate with each other without the firewall involved. Only traffic from a LAN device to something that is not on LAN is sent to the default gateway. IP and routing 101. You might want to read up on that topic.

[AxAn]

So you are suggesting that device can't access any other device on the LAN because of some other reason, when I'm adding the firewall rule?
Or is it somethings wrong with how I set up the rule?
Before I add the rule the device can ping google.com and other devices on the LAN.
After the rule is applied it can't ping either google.com or any other devices on the LAN.

[Patrick M. Hausen]

How are all these devices on the LAN connected? Devices on a switch can communicate with each other whether there is a firewall or router or not.

Local Area Networks (hence "LAN") are older than the Internet, routers and firewalls. Companies have been connecting PCs with file servers, databases, printers, ... all the time. The firewall is not involved in local communication unless something is seriously misconfigured.