I couldn't find any negate filters on switch rules. So I am not sure how can I detect a device trying to access wan with switch rules to drop the package
This is a hypothetical question. I asking if there is a way to drop wan packages with switch rules.
If you are asking about https://help.mikrotik.com/docs/display/ ... -RuleTable
that is one of the least/poorest documented features that I have tried to find any info on.
There are no examples in either the ROS or SwOS manuals.
The only thing I see as a way to drop a packet is by matching a compound condition with the specified action new-dst-ports = Null. The docs say this will "drop the packet".
If it is possible to have multiple conditions to match, and you want vlan 10 to only be able to be forwarded to vlan 20, and all packets will be ipv4, and there is a single ip subnet associated with vlan 20, then
matching on src-address == vlan 10 subnet && dst-address == vlan 20 address with no action specified is supposed to accept the packet and stop scanning rules. This would be followed by a rule that matches src-address == vlan 10 subnet && dst-address == 0.0.0.0/0 (any ip address) with action new-dst-ports = Null (drop packet).
Again this is only a guess... and your guess is as good as mine as to how to form the multiple condition rule.
Let us know what you discover when you try.