I also tried a RVI filter prior to posting to find the same issue 😞
I used the following configuration when trying to apply the filter to the RVI ( I had this applied in-place of the VLAN filter at the time it was implemented)
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from source-address 192.168.0.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.0.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests from destination-address 172.62.10.0/24
set firewall family inet filter Egress-Block-Guest-Wireless term Block-guests then discard
set firewall family inet filter Egress-Block-Guest-Wireless term Allow-Guests then accept
I also tried a filter on both the RVI & the VLAN ( out of desperation lol )
The reason I have elected the VLAN itself as apose to the RVI as a preferance is that once I have the basic troubleshooting version of the filter rule in place I plan to expand the filter to block other traffic including clients on the 192.168.0.0/24 network from communicating with anything except for the gateway ( they are guests so Idealy I don't want them to communicate with eachother in the long run )
If I need to make sacrifices on future plans to make the filter work then sacrifices will need to be made but it all seems like a pretty straight forward requirement which I have achived in other environments without an issue, particularly considering the simplicity of the rule which I am using to test with.
thankyou for the link to the article I think I may have somehow missed that one on my reading and I've bookmarked it for when it's not 1:20am so I don't miss anything when re-reading 🙂
as a matter of intrest I have quickly tested the same policy as an ingress policy instead of an egress and it apears ( so far) to have achived what I am after.
I think my error has been looking at things from the perspective of traffic EXITING the subnet as apose to looking at it as traffic leaving the switches , and likewise I saw ingress as traffic ENTERING the subnet as apose to comming into the switches
Further testing when I am not so tired will be required but thankyou for your assistance so far 🙂