Kevin has the right idea for more granular control of this. Please try the following steps:
- Turn on “Inter-VLAN routing” which is a (global setting) for the sub-interface.
- Change the default Internal Firewall rule to “Deny”.
- Add the necessary “Allow” rules to control the desired access.
Also keep the source IP port to “Any” leaving the destination IP port “80”on your example firewall rule.