Although somewhat tangential to your post, based on the rules you showed in your screenshot, have you ever considered running VLANs (or even just subnets, though of the two, I recommend VLANs)? It allows you to segment network traffic. For example, you could create a VLAN for IoT devices or even just your cameras, and then as part of setting it up, you can assign that VLAN its own firewall zone. That would then allow you to have a simple firewall rule that says “anything in this firewall zone cannot access WAN" rather than specifying different behavior for some devices in your LAN firewall zone based on MAC address. Just something you might want to consider. I run VLANs, for what it's worth. One note about doing that, though: If you run VLANs, the clients page in the GL.iNet UI will stop showing devices. I've raised this issue elsewhere in this forum (GL.iNet UI shows no clients connected due to use of VLANs), as have others (VLAN management and client support in stock GUI (Flint 2)), but I don't think anyone has ever gotten any signal from GL.iNet staff that they intend to tweak the GL.iNet UI to recognize VLANs such that their UI will report connected clients even if you run VLANs.