I want too completely isolate two NAS units from the internet so that they can only be accessed on the main LAN.
On Netgear routers its simple by setting the firewall to block all inbound and out bound traffic (all protocols) to the internet from a specific LAN IP address/s.
Ah OK. So when the WANs are in NAT mode, the firewall is stateful - that is to say, any inbound traffic will be ignored and discarded unless it was sent to a port that has been intentionally opened (ie in an inbound port forwarding / nat mapping rule or one that is in use by an onboard service - like DNS, PPTP VPN etc), or is being sent by an external IP address in response to traffic that was just sent out to that IP from devices on the LAN.
If your router has WANs that are set to IP Forwarding rather than NAT, then the inbound rules will take affect on all traffic coming inbound on the WAN since NAT/the stateful firewall won’t be discarding anything.