UFW on ubuntu virtual router not blocking correct traffics

I have a virtual router running on Ubuntu Server 22.04. The virtual router has two ethernet interfaces enp1s0 and enp2s0. The interface enp1s0 is connected to the external network and the interface enp2s0 is connected to a managed switch.

Note: The interface enp2s0 is configured for trunked traffic (vlan.1201, vlan.1401 and vlan.1601).

I am trying to setup a firewall on the virtual router that blocks all outgoing traffic from both the interfaces except for traffic going to 10.12.0.0/16, 10.14.0.0/16, 10.16.0.0/16 and 10.1.1.0/24. The incoming traffic should be open on both the interfaces. As I will need to ssh into system running on the networks 10.14.0.0/16 (vlan.1401), 10.16.0.0/16 (vlan.1601), 10.12.0.0/16 (vlan.1201) and 10.1.1.0/24.

Below is my netplan configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:
      dhcp4: false
      addresses:
      - 10.1.1.86/24
      routes:
      - to: default
        via: 10.1.1.251
        metric: 1000
      nameservers:
        addresses:
        - 10.1.1.252
    enp2s0:
      dhcp4: false
  vlans:
    vlan.1201:
      id: 1201
      dhcp4: false
      addresses:
      - 10.12.1.1/16
      routes:
      - to: 0.0.0.0
        via: 10.12.1.1
        metric: 100
      link: enp2s0
    vlan.1401:
      id: 1401
      dhcp4: false
      addresses:
      - 10.14.1.1/16
      routes:
      - to: 0.0.0.0
        via: 10.14.1.1
        metric: 100
      link: enp2s0
    vlan.1601:
      id: 1601
      dhcp4: false
      addresses:
      - 10.16.1.1/16
      routes:
      - to: 0.0.0.0
        via: 10.14.1.1
        metric: 100
      link: enp2s0

Below are my iptable rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED -j ACCEPT

Below are NAT rules

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o enp1s0 -j MASQUERADE

I tried to configure the Ubuntu UFW to solve a subset of the above problem. I set my default setting as allowed for all traffic going OUT and coming IN. Then, I tried to deny all outgoing traffic from the 10.16.0.0/16 except for traffic going to a selected list.

Below is the configuration I used:

Status: active
Logging: on (low)
Default: allow (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
10.16.0.0/16               ALLOW IN    Anywhere

Anywhere                   DENY OUT    10.16.0.0/16
10.1.1.0/24                ALLOW OUT   10.16.0.0/16
10.16.0.0/16               ALLOW OUT   10.16.0.0/16
10.14.0.0/16               ALLOW OUT   10.16.0.0/16
10.14.1.1                  ALLOW OUT   10.16.0.0/16
10.16.1.1                  ALLOW OUT   10.16.0.0/16
10.12.1.1                  ALLOW OUT   10.16.0.0/16
10.1.1.86                  ALLOW OUT   10.16.0.0/16
10.12.0.0/16               ALLOW OUT   10.16.0.0/16
Anywhere                   DENY OUT    10.1.1.0/24
Anywhere                   DENY OUT    10.12.0.0/16
Anywhere                   DENY OUT    10.14.0.0/16
Anywhere                   DENY OUT    10.1.1.86
10.16.0.0/16               ALLOW OUT   10.1.1.86
10.16.0.0/16               ALLOW OUT   10.1.1.0/24

However, I was still able to ping google.com and curl various web pages with the following firewall configuration.

I also tried deny for all Outgoing traffic and allowed for all Incoming Traffic, and then open up outgoing to a seletected subnets 10.14.0.0/16 and 10.16.0.0/16, however, that blocked me off from SSHing to any of the systems on those subnets.

Any suggestions would be greatly appreciated.