VPN Policy Base on Client Device ...not working

This is GLi.Net X3000
I have turned OFF IPv6 for all devices (WAN, LAN) in Luci

I have Adguard Home turned on
I use wireguard for VPN provider surfshark. It connects fine and i get IP address.

I chose VPN Policy Base on the Client Device
Then added MAC address for various device, that should only go through this VPN

It doesn't matter, weather VPN is ON or OFF, the client devices with MAC ID in the policy, can easily connect to internet. I expected, client devices not able to connect to internet when VPN is off (meaning i kill wireguard)

I also ran ping with VPN on and off, no problem, i saw responses
Also traceroute and i only saw * * * for all 29 out of 30 hops

I made this work, manually by updating the firewall rules.

Is there a better way to do this, kill switch?
I added the following lines (one for each client MAC ID) to

vi /etc/firewall.user and vi /etc/sysupgrade.conf
iptables -I FORWARD -m mac --mac-source BB:22:11:77:AA:28 ! -o wgclient -j DROP
iptables -I FORWARD -m mac --mac-source AA:11:22:88:BB:38 ! -o wgclient -j DROP
service firewall restart

Would this option "Block Non-VPN Traffic" works for you?

I tried this option. It blocks ALL traffic. I only want to block some clients.
Example, say i have devices A, B, C in my LAN
A,B could be my laptop and desktop
C could be an IOT device like a camera or thermostat etc.

I want A,B not to use VPN but i want C to use VPN
When VPN goes down, C would have NO access to internet.

At present the gli.net software choices doesn't have these options
So i had to manually add firewall routes to achieve this.

I used pfsense for a long time and the security features were the best!
Since i moved into GLi.Net platform, i am looking to mimic those firewall features.
Unfortunately, many of the firewall features are lacking or hard to implement.

Got it, we would like to add the feature to make it.
Thus customers can choose the Policy prefer or the Kill Switch prefer.
It is already in our plan and shall be available in some months later.

Besides, could you please share some more info on "many of the firewall features are lacking"?
Since maybe we can find some ways to make it or add it to our features in the future as well.

Thank you.

Actually the clients that are not in the policy, which means they route via WAN but not VPN, they shall not have the Internet access, when the VPN is on, no matter Kill Swich is ON or OFF.

You can share us the system log if it doesn't work like this on your side.

I just tested this.
I turned of custom firewall rules (as above) but I am sorry, but i am correct.
With VPN turned OFF, the machines that are only allowed thrugh VPN are still going out....must be through WAN. This is not acceptable.
Let me know how i can share system log

I would assume this is totally fine because turning off VPN will turn off all VPN-rules as well.
Same like firewall: Turning off the firewall will turn off all firewall rules as well.