Need WIFI / ETH with no Internet access but accessible by VPN

I have two devices in my network. One connected through WIFI and the other by cable.

I'd like them to have no Internet access while still able to connect other devices in LAN.

Also I'd like to access them when connecting to my LAN via VPN.

How can I achieve that ?

Ideally I'd like to make all settings in Luci.

Network > Firewall > Traffic Rules > New forward rule:
Add rules with source zone lan, destination zone wan and action reject for hosts with specific MAC-addresses.