Locking down access to a VLAN

I am using pfSense, and on my physical LAN interface I have multiple VLANS. Each VLAN has it’s own network (192.168.67.0/24, 10.38.0.0/23, etc) with pfSense being the *.1 on each VLAN.

I just created a new VLAN67 with the 192.168.67.0/30 network and pfSense being 192.168.67.1. I am putting a VEEAM hardened Linux backup repository on this VLAN as 192.168.67.2 and I want to lock down access to this VLAN.

My naïve assumption was that I would put rules on the VLAN67 interface that block incoming traffic from the other VLANs. For exampble, block “VLAN30 net” source. But when I take this approach, I’m still able to ping the 192.168.67.2 address from the networks that should be blocked by my rules.

What I have found is that I have to go to the VLAN30 rules page, and add an outgoing traffic block rule with VLAN67 as the destination. This rule then prevents me from pinging 192.168.67.2 from the VLAN30 network.

This seems painful to me as I have to go to each VLAN and block outgoing traffic from going where I don’t want it to go. I would prefer to just block incoming traffic on the VLAN that I’m trying to lock down.

Am I understanding this correctly? Any other comments?