ACL rules to exclude local networks

Hello, friends!

I want to create rules to protect my local subnet hosts (home, DMZ) to allow connections only from admin tag. But i need my non admin machines to connect to internet sites (TCP 80,443) but not in local networks. I am on free account. Is it possible to exclude subnets or any other options?

// Declare convenient hostname aliases to use in place of IP addresses.
“hosts”: {
“home-net”: “192.168.0.0/24”,
“DMZ-net”: “192.168.200.0/24”,
},

“acls”: [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{“action”: “accept”, “src”: [““], “dst”: [“193.232.51.79:80”]},
{“action”: “accept”, “src”: [”
”], “dst”: [“:443"]},
{
“action”: “accept”,
“src”: ["
”],
“dst”: [“192.168.0.121:53”, “192.168.0.254:53”],
},
{“action”: “accept”, “src”: [“tag:admin”], “dst”: [“:3389"]},
{“action”: “accept”, “src”: [“tag:admin”], “dst”: ["
:22”]},
{“action”: “accept”, “src”: [“tag:admin”], “dst”: [“*:443”]},
],