@NovaMIT 

ACL rules are read from top to bottom. So first you create allow rules then deny which is below the allow rule

here is an example of this

at the bottom I have blocked all private IPs, in the rule above I have allowed some private IPs, this is to block some remote LANs in site to site vpn

  @MR.S 

Hello! Thanks for the reply!

I know that rules sequence is important. But currently I lost in the fist step, how to block any IP (lan, wifi) on the network using 25 port for WAN OUTgoing traffic.

More simple, deny any IoT, TV,Mobile,etc., to be able to send mails on network.

deny: out 192.168.1.xxx:25

If I will be convince that this block is working. I well give access only for dedicated mail server.

permit: out 192.168.1.111:25

NOTE: "in 192.168.1.xxx:25" could be open for any IP

Thanks!

  @NovaMIT 

rule 1 allow port 25 from mail server
rule 2 block port 25 for all

and switch source and destination,

  @NovaMIT 

This is how you should do it.

  @MR.S 

Hello, thanks for your help to figure it out.

I have changed the direction like above:

so:

Waited a minute and still can send mails...

What have I missed?

  @MR.S

Based on your instruction I have successfully created my ACL rules, that working as is expected!

Thank you MR.s!

N