Block internet access from VLAN. But whats the right way to do it?

[mvdheijkant]

I'm using several VLAN's that all have access to the internet, it's own VLAN and DNS on LAN, but nothing else on the network. See GUEST VLAN.jpg.
I think this looks fine.
My problem is with the camera network that I also don't want to give internet access.
Despite trying all kind of rules, I did not get a good result at first.
Except when adding the blocking rule on top of the others that is shown on the CAM VLAN.jpg.

What can I say, it works but i have the feeling its a bit of a novice solution.
The DNS access can also be obsoleted I gather.

Can you help me, or show me your solutions for this problem?
Thanks.

[Patrick M. Hausen]

What is the network good for if it doesn't have access to anything?

Anyway with no rule at all you will probably achieve that result. DHCP will still work because there are automatic rules for that, but nothing else will.

[Brink7564]

I think they mean they only want to access the network locally.

If that's the case, you'd have to create rules on the interface(s) which should have access to the camera network. I suppose something like this:

Interface: LAN (or whichever VLAN you want to access the camera network from)
Protocol: TCP/UDP (or just TCP or UDP, depending on your needs)
Source: LAN net
Destination: IP(s) of the camera, OR the camera network net for simplicity (e.g. CAM VLAN net)
Destination port range: any (if you know the ports your cameras need then use those. If e.g. you simply want to access a web portal to your cameras, use 80 or 443 depending on encryption or not)

I believe you don't need to configure any firewall rules on the CAM VLAN interface.