Bingo !!
just added a rules like this:
The rules for DNS & DHCP was already set following the "howto" mentionned in 1st post, as well as isolate function on wifi.
It seems to work perfectly: I cannot access LAN devices, neither ping them but internet is working.
Thanks!
ps: I also learnt something about the gateway/final destination 