@swemattias
You have to add your firewall rule to the interface where the traffic is coming into pfSense. So to pass or block traffic from LAN devices you add the rule to LAN.
The destination can be a single IP, a network (subnet) or any. For internet access you need even any, because the IPs in the internet enfold almost the whole address space. So no other way here.
What you're presumably concerning might be to give one subnet access to the internet, but not to the LAN.
To achieve this you have to remember that pfSense probes the rules from the top to the bottom. If one matches the conditions it is applied and further rules are omitted.
So you have to add multiple rules for this. At least one block and one pass rule.
At the top of the rule set add a block rule for the destination of LAN network.
Below add a pass rule with destination "any".
Now if the destination in a packet is out of the LAN network the packet is blocked, otherwise it's passed.
But instead of blocking LAN network only it's often rather desired to block access to all internal networks. A good advice to achieve this is to adding a network alias (Firewall > Aliases > IP, type "network") and adding all RFC 1918 networks to it. Call it RFC1918 and use this alias as destination in the block rule.
With this you're still save, when you add a subnet to your setup or change a network space.
So what if I want to open a port from wan to server lan. What will the rule look like then?
For inbound traffic the things might be more clear. Here has only the source to be "any", assuming you can't state it. The destination will be "WAN address", because the packet goes to it, and you will state a specific destination port. For instance for HTTPS, the dest. port is 443.
The source port has to be "any" as well!