Block Client WAN but keep available via Wireguard VPN

So I have some IP cameras which I would like to block access to the internet but still access them via the Wireguard VPN.

First of all, the BLOCK WAN option in the Glinet interface does not allow them to be available when accessing the network via the Wireguard server VPN. Customer support confirmed this with me.

So this is why I wanted to check if I can use the LuCI OpenWRT interface to block connections. There is this very promising post in the OpenWRT forums which describes how he set a Firewall traffic rule, and it is straight forward: [Solved] Firewall rule to block device from accessing internet - Network and Wireless Configuration - OpenWrt Forum

However when I configure it (see screenshots below), the cameras are still available from the internet. Like the post linked above I set the MAC addresses in the Advanced Settings tab. Yes, I enabled the rule in the firewall traffic rules and pressed “Save & Apply”. I also verified that IPs and MAC addresses are correctly set.

I also tried: setting source IP address as well or instead of the MAC address, changing order of the rule, rebooting router, changing the action from reject to drop. But nothing worked. Does anyone know why not?

I also tried switching source and destination zone so that any request would not be returned but that did not do anything either.

Any help is much appreciated!

This is the Advanced settings tab wher I configured the MAC addresses:

Please write the IPs of your devices to get a better understanding of the topology.

So I the cameras IP addresses are: and

But apparently what I want to do is not possible anyways.

Customer support already confirmed that it is not possible with Glinet to connect to WAN-blocked devices via Wireguard because that is also in the WAN zone or something like that.
Very inconvenient as this is a common use-case (at least for me): Block internet of sensitive devices, servers, etc. and access them via VPN.

Thus I now have to set up a dedicated wireguard server…