Blocking a VLAN from access over only 1 WAN connection
Is there a way to block a VLAN or IP Group from one but not all WAN connections?
I have a network with three WAN connections. One is metered, two are unmetered. I have roughly 500 users with about 700 client devices at any given time while on the unmetered connections and the network is opened up. There are times when the metered connection is the only connection I have available, at which point the network is setup to use local user accounts and/or vouchers for the things people need to do.
Even when we have the unmetered connections available (50% of the time), there are still some applications that I'd really like to use the dedicated bandwidth from the metered connection. Things like telcon medical appointments, remote court cases, ect.
I already have four VLANs: One is for management (1), one for the open unmetered connections (10), one for when I only have the metered connection available (30), and one that is called "special use" and is currently only used while on the metered connection (40). The VLANs for the metered network (30 and 40) use portals with either local user or vouchers as noted above. They also obviously all have their own DHCP IP subnets.
I see in the ACL rule creation that for "direction" is lets you choose "LAN > WAN" or "[WAN/LANX] IN". However, setting up an ACL for WAN/LAN4 IN to deny from IPGroup_Any to IPGroup_Any doesn't stop connection over WAN/LAN4. Only when I include LAN > WAN as well will it stop internet connectivity. And if I remove WAN/LAN4 from the deny Any to Any rule, it still blocks all traffic, which I would expect.
What does the WAN/LAN4 direction in the ACL rule actually do? Does it just stop connections from outside IP addresses from establishing, but allow internal addresses to establish connections to the WAN? I feel like it should allow traffic out, so the DNS request would go out, but should block the response. Similarly, it should allow a request to go out to an IP address, but then deny the return information, thus preventing the page from loading. Obviously my feeling about how it should work is wrong, so I'm wondering how it does work.
Is there another way to block a certain VLAN from accessing a specific WAN connection without affecting connectivity to all of the WANs?