VLAN configuration, firewall rules, basics

Greetings all,

I have been experimenting with some VLANs.  I have a POE5, and a UNIFI PRO AC AP, both with up to date software, the Edgerouter is simply configured with the wizard.  My question is more about how it should work, or to increase my understanding.

I have a guest vlan, just set up to basically allow people to do some web surfing etc, I have speed limits on it, etc. 
What I would like to do, is basically deny all traffic except what I specifically allow.  In my case, I would really only like to allow mail traffic (587,465,993,995) and basic web (http - 80,443).  That would make me feel better about increasing the speeds, and not worry about someone using a torrent client, or other things, on my network connection.  ( I know it is still possilbe, but those folks probably aren't going to sit outside my location to download something at these limited speeds).

However, on my VLAN in, when I use the default drop, and then allow traffic on port 80,443, I get no traffic at all. 

Example 1:

name GUEST_VLAN_IN {default-action reject
        description "PACKETS COMING IN TO VLAN"
        rule 10 {action accept
            application {
                category Web
            }
            description "ALLOW WEB"
            destination {port 80,443
            }
            log disable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description "ALLOW ACCESS TO UNIFI PORTAL"
            destination {
                address 192.168.200.6
                port 8888,8080,8880,8443
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action reject
            description "DENY ACCESS TO THE HOME LANS"
            destination {
                group {
                    network-group LAN-NETWORKS
                }
            }
            log disable
            protocol tcp_udp
        }
    }
    name GUEST_VLAN_LOCAL {
        default-action reject
        description "BY DEFAULT DENY LOCAL TRAFFIC TO ROUTER ETC"
        rule 20 {
            action accept
            description "ALLOW DNS"
            destination {
                port 53
            }
            log disable
            protocol udp
        }
    }

When I use the Default-action of accept, in the configuration, then obviously all my traffic works, but then i have to manually input all the ports I want to deny

interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.199.1/24
        description Local
        duplex auto
        poe {
            output 48v
        }
        speed auto
        vif 30 {
            address 10.10.30.1/24
            description "Guest VLAN"
            firewall {
                in {
                    name GUEST_VLAN_IN
                }
                local {
                    name GUEST_VLAN_LOCAL
                }
            }
            mtu 1500
        }
    }

So, does anyone see anything I'm doing wrong?  Is that how you are supposed to use the firewall rules? 

I suppose a few more questions from you folks, the vlan_in is for traffic coming in from the internet to the vlan, and vlan_local is for traffic from the vlan to the device correct?

I'm trying to figure out where I should firewall rules be put, (under which configuration).

Thanks

BC