I have a four-port OPNSense box. two WANs and two LANs. LAN1 should access everything, LAN2 should only access LAN2 and both WANs but not LAN1.
LAN2 interface has the following rules:
1. Allow all inbound if destination is NOT "This Firewall" (meant to allow WAN traffic)
2. Allow all inbound if destination is LAN2
Yet, a PC attached to the LAN2 port can ping another PC attached to LAN1. Why is that?
"This Firewall" represents all IP addresses assigned to OPNsense. This would typically include localhost and the x.x.x.1 address for each LAN/VLAN. Based on this, LAN2 to LAN1 traffic is being allowed by your rule #1 because LAN1 falls in the scope of NOT "This Firewall". Also, your rule #2 does nothing because traffic within the same subnet does not even pass through the firewall for evaluation.
A better way to achieve your goal is with a single rule. First, create an alias that consists of all the RFC1918 private IP ranges (10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16). Call this "RFC1918" or whatever you like. Next on LAN2, create a rule that allows all access to NOT "RFC1918". This gives LAN2 internet (WAN) access but will not allow traffic to any other LANs.