In our example network, we wanted to keep the SALES, MARKETING and DEVELOPERS networks separate, so that none of these networks had access to each other (with certain exceptions for shared resources), but all three networks should have access to the DMZ, which does not have access to other local networks. All of these networks should have access to the internet through the WAN interface. We can achieve this by creating two rules on each network:

1. Rules on each interface blocking access to non-DMZ networks.
2. A default rule such as the Allow LAN to any rule, for each specific interface.

This ruleset will block all incoming traffic that does not originate on the local network while still allowing access to the internet. We will address the creation of a default allow rule in the next section, but first let's create the block rule:

1. We again navigate to Firewall | Rules, and click on the DEVELOPERS tab. Then we can click on either Add button below the table to add a new rule.
2. On the Edit page, we change the  Action value to Block. For Interface, we keep DEVELOPERS as the interface from which packets must come in on to match this rule. We can set the Address Family field to IPv4, IPv6, or IPv4+IPv6, depending on whether or not our network supports IPv4 addresses, IPv6 addresses, or both. We want to block all traffic, so we set the Protocol set to Any.
3. The packets must come from the DEVELOPERS subnet for the rule to apply, so we set Source to DEVELOPERS net. We don't need to set a port range for this rule, so we will not click on the Show Advanced button.
4. We will first create a rule to block access to SALES;  thus, we set Destination to SALES net.
5. For the description, we enter something appropriate (for example, Block access to SALES) and click on the Save button. We also click Apply Changes to reload the firewall rules.

Our ruleset will not be complete until we create a rule to block access to MARKETING on DEVELOPERS and repeat the process on the SALES and MARKETING networks. Fortunately, this somewhat tedious process can be made easier by clicking on the Copy icon to make a copy of the rule and then changing the appropriate fields. Change the Destination to MARKETING net to finish the ruleset for DEVELOPERS, then duplicate these two rules on the other interfaces by copying them and changing Interface and Destination settings where appropriate. Note that we did not create a rule to block access to the DMZ network; we want other networks to have access to it.