Limit internet access to some devices -best ption

[gio_kiborg]

Hello,
I am novice in OPNSense and I want to make sure to correctly setup the rules,
My home network architecture is as follows:
Internet -> ISP router -> [OPNSense -WAN-> OPNsense LAN]-> [internal lan 16 port switch]
I have my entire internal network connected through 16 port gigabit PoE switch, so one LAN for everything,
I have 2 wifi AP (connected to 16 port switch) and configured Guest and IoT vlan's (using open WRT)

my problem is, that I want to block my Smart TV and Network Video recorder to access the internet, but they should be accessible inside the LAN,

Previously I was using Linksys EA 6300 (flushed with DD-WRT) router instead of OPNSense and it was easy to block specific MAC's of TV and camera recorder from internet access.

I did not find similar option in OPNsense, I searched the forum, but I do not think that there is a clear solution for my configuration
There is a MAC Address Control under Services/DHCPv4/[LAN] where I can block access of  this devices, using their MAC, but it completely blocks them from accessing LAN, which is not good, I want to be able to connect my TV to media server (inside my LAN) and obviously want to have access to NVR as well,

As I understand, since I am using single physical interface, I can not easily brake it into the VLANs, and do not even want to complicate the network, I just want to block 2 devices manually based on ther MAC or IP or both,

Currently what I did, was to setup static leases for them in DHCP and wrote "none" for their gateway (see images below)
When I go to my smart TV says, that there is an issue connecting to internet (which is good) and I can not access Youtube or other online services on it, but I still can access my media server, but when I see the log files for the Zenarmor, I see that my TV is communicating  (at least it is going through Zenarmor)

Can you suggest how to make sure, that TV and NVR has no internet access for sure?

Thanks in advance

[cookiemonster]

you could create a firewall rule in the LAN interface where these devices are.
action: reject
direction: in
quick: yes
Source: alias for your device
port destination: ! LAN net
Needs to go before the default "allow lan to any"
The devices in the same network will go via the switch, not going via OPN unless it's the gateway for the VLANs, so you can still get to them.

[gio_kiborg]

you could create a firewall rule in the LAN interface where these devices are.
action: reject
direction: in
quick: yes
Source: alias for your device
port destination: ! LAN net
Needs to go before the default "allow lan to any"
The devices in the same network will go via the switch, not going via OPN unless it's the gateway for the VLANs, so you can still get to them.

Thank you very much for suggestion!
I created aliases for those 2 devices (via IP) and as you suggested created rule above other lan rules

Problem is, that TV is not seeing my media server (Openmediavault with Mini DLNA server running), when I disabled the rule and restarted the router, it worked again
What am I doing wrong?

[gio_kiborg]

you could create a firewall rule in the LAN interface where these devices are.
action: reject
direction: in
quick: yes
Source: alias for your device
port destination: ! LAN net
Needs to go before the default "allow lan to any"
The devices in the same network will go via the switch, not going via OPN unless it's the gateway for the VLANs, so you can still get to them.

[zan]

port destination: ! LAN net

"!" means NOT(invert), so turn on that "Destination/Invert" checkbox.

[gio_kiborg]

I noticed ! but thought it was a typo  ;D
Thanks!
now both are available in lan and I checked internet connectivity of my TV and it says that it is connected to router but not to the internet
Thanks again