Block access to webGUI in a specific VLAN

[Leviathan]

Good evening!
I have a question to ask: in the company we have an external consultant who deals exclusively with the maintenance of the voip pbx, therefore in order to allow him to work I created a dedicated openVPN server that allows him to access exclusively the VLAN of the voip and the class of ip addresses assigned to both the switchboard and the telephones (192.168.5.0/24).
By doing so, it cannot ping or reach other VLANs or address classes.
It can reach the pbx webGUI but it can also reach the OPNSense webGUI, which is reachable at the default gateway address (192.168.5.1) of the vlan voip.
At the level of the openVPN certificate, administrative access to the webgui is clearly disabled, but I would like this page to be unreachable for that vpn server and its possible users.
I assume you can do a dedicated rule on the firewall, but I honestly have no idea how to block this.
Thanks in advance for the help.

[Greelan]

Create a rule to block the VPN IP from accessing the VLAN gateway on ports 80 and 443, and place it above the rule that allows the VPN IP to access the VLAN

[Leviathan]

I need to put the rule under "Firewall - NAT - Portforward" or "Firewall - Rules - OpenVPN"?

[Greelan]

On the interface, so OpenVPN if that is yours