**Newbie ** - How to create Firewall Rules with Firewall Groups

[KalleBlomquist]

Hello,
I'm an absolute Opnsense newbie, but I would like to change my USG for an OpnSense.

Some background on the network:
1 x WAN
1 x LAN
4 x VLAN

The "network components" (switches, servers, NAS etc.) are located in the LAN and in the other VLANs e.g. IPCam or Sonos Player ...

Now I would like to prohibit the traffic from the VLANs in the direction of the LAN first.
Then activate the devices with individual rules (e.g. allow IPCam to NAS access, i.e. VLAN10 with alias IPCam on LAN with alias NAS).

Unfortunately, I am not sure how to do this with the best option ?!

FW group VLAN_All and corresponding DROP rule on the LAN interface?
Do the clients in VLAN_All even get out without an ALLOW rule?

Then:

 - Create FW group (VLAN10) and put a rule on it (IN - src: VLAN10 - IPCam - dst: LANnet - NAS)
or
 - FW rule on LAN (IN - src: IPCam - dst: NAS)

As I understood, any traffic from a FW group is initially forbidden ?!
So do I have to create a FW rule in advance so that the clients can communicate out at all?

Somehow I didn't understand the construct ... Sorry!

Best wishes
Kalle