ACL rules to exclude local networks

Hello, friends!

I want to create rules to protect my local subnet hosts (home, DMZ) to allow connections only from admin tag. But i need my non admin machines to connect to internet sites (TCP 80,443) but not in local networks. I am on free account. Is it possible to exclude subnets or any other options?

// Declare convenient hostname aliases to use in place of IP addresses.
“hosts”: {
“home-net”: “”,
“DMZ-net”: “”,

“acls”: [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{“action”: “accept”, “src”: [““], “dst”: [“”]},
{“action”: “accept”, “src”: [”
”], “dst”: [“:443"]},
“action”: “accept”,
“src”: ["
“dst”: [“”, “”],
{“action”: “accept”, “src”: [“tag:admin”], “dst”: [“:3389"]},
{“action”: “accept”, “src”: [“tag:admin”], “dst”: ["
{“action”: “accept”, “src”: [“tag:admin”], “dst”: [“*:443”]},