2 IPsec VPNs on one OPENsense with different access to local machines

[atoll]

Hi,

I‘m running an OPENsense 22.1 gateway that provides 2 VPN endpoints:

#1. IKEv2, EAP-MSCHAP, FreeRadius for my road warriors
#2. IKEv1, PSK, Site-to-Site for access to a Windows Remote Desktop Machine and it‘s ability to scan and print back into my local network.

ATM, my firewall rule is simple: Everything in my local Network is accessible from anybody who is allowed to access the VPNs. That was a good solution, as long as I only had VPN #1.

For VPN #2, I‘d like to restrict the access to an IP range of 10.10.0.18 - 10.10.0.35 -> this is my local fixed range for my printers and scanners.

The OPENsense has a fixed external IP address that also resolves into a FQDN.
The remote endpoint gateway for VPN #2 has a fixed IP that also resolves into a FQDN.

Would it be sufficient to build a firewall rule and place it first into the parse order that declares the following:

„All traffic coming from the Interface IPsec with origins from [fixed IP of VPN #2 remote endpoint] can access local network from 10.10.0.18 - 10.10.0.35“?

Is that possible/clever/simple?
Options?

In if advised: How exactly would that look like?

Thanks!

-cg-