Is this the right way to block one host from internet?

[mrpetersson]

I'm trying to set a rule for what I believed would be the simplest thing but I'm still a little uncertain if I got it right.
I'm on 24.7.3_1.

I want to block a device on my LAN (I don't have VLANs yet) from accessing the internet. LAN network is 10.10.0.0/16.

I'm setting:
Action: Block
Quick: Checked "Apply the action immediately on match."

Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: any

Source / Invert: Unchecked ("Use this option to invert the sense of the match.")
Source: Single host or Network. 10.10.x.y / 32          <- Is this the right net mask?
Source port range: from:any to:any

Destination / Invert: Checked  "Log packets that are handled by this rule"  <- Due to setting Destination as LAN net, correct or not?
Destination: LAN net
Destination port range: from: any to: any

Log: Checked "Log packets that are handled by this rule"
 

I still see this device when looking at LAN traffic, it is a device that seems to be trying to call home. Maybe Waht I see in the Reporting -> Traffic -> Top Talkers is before the firewall drops the packets?

[Patrick M. Hausen]

Destination LAN net needs to be destination any. "The Internet" is "any IP address that is not local to your network".

[doktornotor]

Hmm, not with the destination inverted?

[Patrick M. Hausen]

Hmm, not with the destination inverted?

You are right.

[mrpetersson]

I was thinking that setting "any" would make it hard to get anything from this device (which is an IP camera so I want to get the video out).