Blocking default LAN from accessing VLAN

Get rid of your last rule, set the second to last rule to allow and set a reverse on the RFC1918 so it looks like !RFC1918.

Then your rule is saying allow everything that is NOT RFC1918.

EDIT:

Looking at the rest of your rules and they don’t look right. You don’t block or allow “This firewall” you do this by the interface address or by the interface net. Look at this example.

  1. Blocks all DNS traffic that is NOT my GUEST address (interface)
  2. Allows GUEST subnet to GUEST address for DNS
  3. Allow Guest net to everything that is NOT RFC1918