If the client has the firewall enabled they can't be pinged and you'll get timeout or network unreachable with tracert.
When a user logs in to the server how do they log in? RDP? VPN?
If I understand you correctly clients can connect to the server. When connected they can't access the internet.
Is that correct?
Good luck with the washing machine BTW.