Internet Isolation for IoT devices

Hi everyone !

I am looking to connect all my IoT devices to my Beryl secondary router and isolate them from internet.
However, I still want to have my main devices (phone / laptop) on the primary router and being able to control the IoT devices in the travel router.

I have edited the /etc/config/firewall adn added the below rules, but I tried connecting my phone to the secondary router and internet still works

What I am doing wrong ? Is it because of the “Zone” forwarding from LAN to WAN ?

config rule
	option dest '*'
	option target 'ACCEPT'
	option name 'Rule #1'
	list dest_ip '192.168.1.0/24'
	list src_ip '192.168.8.1/32'

config rule
	option dest '*'
	option target 'REJECT'
	option name 'Rule #2'
	list dest_ip '192.168.1.0/24'
	list src_ip '192.168.8.0/24'

config rule
	option target 'REJECT'
	option name 'Rule #4'
	list dest_ip '192.168.1.0/24'
	list src_ip '192.168.8.1/24'

Couple of technical infos

Router 1 config:
internal IP: 192.168.1.1
DHCP from 192.168.1.100 to 199
Gateway: 10.20.21.29
External IP: 27.aa.bbb.ccc
Subnet mask 255.255.255.0

Router 2 config:
Static IP assigned from Router 1: 192.168.1.9 (but I can either access the router from 192.168.1.9 or 192.168.8.1)
DHCP from 192.168.8.100 to 299
Gateway: 192.168.1.1
external IP: same as Router 1 - 27.aa.bbb.ccc
Subnet mask 255.255.255.0