Hello,
Thank you for contacting us.
I would like to inform, that regarding your comment you are moving in a right direction.
In order to solve this issue, you will need to split WAN zone to a different zones.
This could be done in Network - Firewall - Zones.
First at all, please create a new zone, e.g. Mobile. After that, edit zone "WAN" by removing "mob1s1a1" from a "Covered networks":
Do not forget to save and apply configuration.
Once this done, edit you newly created zone and in "Covered networks" add "mob1s1a1" interface and save and apply configuration:
After that if your traffic rules are set correctly, devices will reach internet only from allowed WAN zones, not from mobile interface.
Hope it helps.
Best regards,
Sigitas