Hi @spgsitsupport !
The logic of ACL in Comware is pretty straight-forward and does not differ from other vendors. This ACL has zero chanses to work on any vendor's router/L3 switch, because you have one major flaw:
rule 0 permit udp source 10.10.120.0 0.0.3.255 destination-port range bootps bootpc
rule 0 comment "Allow DHCP requests"
rule 5 permit udp source 10.10.120.0 0.0.3.255 destination-port eq dns
rule 5 comment "Allow DNS queries"
rule 10 permit ip source 10.10.120.0 0.0.3.255 destination 10.10.5.0 0.0.0.15 counting
rule 10 comment "Allow access to firewall routed link VLAN"
rule 20 deny ip counting
#
interface Vlan-interface120
packet-filter filter route
packet-filter 3120 inbound
What this ACL does:
rule 0 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range, ANY destination IP, and destination UDP port in bootps bootpc, it is ALLOWED
RULE
rule 5 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range, ANY destination IP and destination UDP port dns, it is ALLOWED
rule 10 - if a packet that COMES on the SVI VLAN120 (from the host in this VLAN) has IP Source from 10.10.120.0/22 range and destination IP from 10.10.5.0/28 range, it is ALLOWED
rule 20 - drop the rest
Now just think what destination IP will have your Internet traffic. For example, if you ping a well-known Google's DNS from a host in Vlan120, how the IP header will look like? I bet it will be like this one:
IP.src=10.10.120.10 (for example)
IP.dst = 8.8.8.8
Do you see the problem now? Routers do not change IP source and destination on routing. Unless there is NAT, of course. So how do you imagine the rule 10 can match this type of traffic when it will be looking for Vlan5's range in the IP destination field? What you really allow with this rule is the traffic from Vlan120 to Vlan5, nothing else.
Here is how the ACL should look like if you need to deny Vlan120 -> 110 access and allow Internet connection for the hosts in Vlan120:
rule 0 permit udp source 10.10.120.0 0.0.3.255 destination-port range bootps bootpc
rule 0 comment "Allow DHCP requests"
rule 5 permit udp source 10.10.120.0 0.0.3.255 destination-port eq dns
rule 5 comment "Allow DNS queries"
rule 7 deny ip source 10.10.120.0 0.0.3.255 destination 10.10.110.0 0.0.1.255
rule 7 comment "Deny Vlan120-Vlan110 traffic"
rule 20 permit ip
The difference is in rule 7 and in rule 20. Rule 10 is redundant, you do not need it unless you want BYOD devices to manage the firewall, which I highly doubt.
And don't forget to set the default route through the Firewall's IP address in Vlan5.
Now about "I do not want to explicitely block Vlan 110 by IP range, because in fact I want to block it from any other Vlans (existing & future)". If you already know what IP range your future VLANs will use, for example if they all will utilize 10.0.0.0/8 range, then you can modify the rule 7 in a way it will drop ALL traffic from Vlan120 to the 10.0.0.0/8 range (except the traffic allowed in rules before this one) :
rule 7 deny ip source 10.10.120.0 0.0.3.255 destination 10.0.0.0 0.0.0.255
Try this ACL and let me know if it works.