Firewall rules clarification

Really enjoyed you’re Pfsense videos and had a couple of setup/rules questions. I have a Protectli box with four ports. I’ve set it up like your home network. Lan1 is general use for everything like phones, tvs , tablets etc. Lan 2 is pretty locked down but still able to access the internet. Lan1 is blocked to Lan2 but Lan2 can access Lan1. Lan1 blocked from the Firewall admin. Lan3 is for my Synology. Lan2 can admin the Synology but not Lan1.
My questions involve the Management interface for Pfsense and the Synology. I’m not sure how to ONLY make them available to Lan2 and not Lan1 ; or in the case of Lan3 not able to access the Pfsense management interface.
I currently have access to Pfsense in it’s initial setup i.e . access from Lan1. How do I “Move” access to Lan2 only.
I’ll stop there. I have other questions but…One step at a time.

so in pfsense you block traffic headed to the firewall on a particular interface so I’m blocking 80, 443, and 22 with a port alias

and i believe you can bind the Synology web interface to a signal ip address i do not have access to a Synology device so I cant produce a screenshot for you tho.

Thanks Night_Rider. I think I’ve got it. I’m just getting used to the interface and I think you’re right about binding the web interface to a single port on the Synology. I just have to dig in to the documentation a little more.