ICX 7150 ACL - Home user

We would need to see your configuration to know where you apply these and in what direction to know if it is truly correct.

Your guest rules are probably good.

You might want to look up the evaluate command for ACLs if it is supported on that platform.  It lets you nest or call other access lists and sort of make them hire architectural.

Your last rule makes no sense...

permit icmp host 192.168.74.110 host 192.168.74.12 (NVR to WIFI Cam)
permit tcp host 192.168.74.110 host 192.168.74.12 eq http (NVR to WIFI Cam)
permit tcp host 192.168.74.110 host 192.168.74.12 eq rstp (NVR to WIFI Cam)

The reasoning is packets actually have to cross a layer-3 interface where an ACL is applied for it to work.   Then it is directional.   That is to say traffic within the same subnet will not be filtered by an ACL this way.  It will simply be switched within the VLAN once ARP resolves its physical address.

Traffic that’s routed can have ACLs put on it via its Layer-3 interfaces...   You also need to allow the traffic back though, too being it is stateless.   Likely not a problem unless you apply your list on both ingress and egress though, so pay attention to direction.

TCP supports the established flag...  not certain if this platform supports reflexive access lists, but research that otherwise you need to allow the traffic back

The last line of your IOT Rules are is inclusive of permit udp 192.168.73.0  0.0.0.255 any eq 5353 (meaning it also matches)

Given the order, IP will also carry the UDP.   Perhaps you want the counters though...

Let’s say you have VRI or SVIs

int ve 73

ip address 192.168.73.1/24

int ve 79

ip address 192.168.79.1/24

If traffic is coming from 192.158.73.110 going to 192.168.79.200 traffic would go IN ve 73 and OUT  ve 79.   That is to say traffic need not go flow through an interface like water...  the above traffic never goes out ve 73 to get to 192.168.79.200.  It

 flow in one then [routing process] then new packet gets generated and flows out ve 79, which is where the destination subnet is directly-connected.

I hope this helps.    You would have an opportunity to place an ACL ingress 73 or egress 79 to act on my  source and destination above ... depending upon whether you want to filter before or after the routing process.

Typically, Extended ACLs have a lot more granularity and are placed close to the source...  they include source and destination.  Standard ACLs are typically placed near the destination...  they reference the source though.

Once a match is made, execution stops processing and traffic is permitted or denied.   ACL statements below are not executed.  Think of an ACL as returning a true (permit) or false (deny) because they are used for a lot of other things like QoS, route filtering, and a bunch of other things...  A permit statement would get traffic into a class/queue for QoS for example.   That class/queue could be attached to a policer for example to drop the traffic or some quantity of it.

Regardless, last there is an implicit deny all at the end, so if you have an ACL that permits one thing, it automatically returns deny if there isn not any match.   On some platforms an empty ACL blocks all traffic, on others it ironically allows all.

...  Hope this helps.   If you post your config, we can be of better help.