We have an SSID setup for guest devices, VLAN20, with the deny local LAN option enabled. We also have a few ACLs configured for VLAN 20 (see screen shot).
Would there be any conflict having the ACLs and "deny local LAN"?
If this network is used only for Wifi you can deny the LAN directly on the SSID and remove the firewall rule deny which will work without problem. But it's okay to keep both.
You wouldn't need the firewall rules for DHCP as that is exempted from the "Deny Local LAN" processing:
Bringing this back alive. Does anyone see a problem with this ACL? With these ACLs in place, mobile clients do not get a DHCP IP. If I remove the ACLs, everything works as it should. Also this network has the "Deny local LAN" option ticked under ssid.