thank you for replay.
this is my situation:
do you have an example to limit internet only interface port of 192.168.200.133?
from 192.168.100.171 ping to 192.168.200.133 result ICMP is reachable.
from 192.168.200.133 ping to 192.168.100.171 result ICMP is unreachable.
from 192.168.200.133 ping to 192.168.100.1 result ICMP is reachable.
Why happen this?