Opnsense Requirement in my private network

[Ashwini]

Hardware 1- Opnsense host
Hardware 2 - Server
Hardware 3 - Client

HW 1,2,3 are in same network.
Internet access is given only for HW2(server).

HW3(Client) can access HW2(Server).

HW1 ( opnsense ) will act as a firewall/router between HW2 and HW3.

My question is how to protect HW3(client) in case of external attack to HW2(server) using security features of HW1(opnsense).

[elektroinside]

With carefully crafted firewall rules.
You will delete the default allow any to any rule on the LAN, create one to allow *any* access for hw2, another one to allow access from hw1 only to hw2 (so only on the LAN side), and finally bring up the local firewall of each OS, adding exceptions to whatever is needed. You will also have to assign static dhcp leases for each hw on the LAN, as manually configuring IP addresses on the LAN clients is not recommended in locked down environments. You should also consider static arp entries (read about it before enabling this, otherwise you may get locked out). You should also use limited local users (without admin privileges) on hw's on the LAN.

Without any other exceptions (rules), access to hw2 from the internet is not allowed. This is what almost all firewalls do by default, allow all outgoing, block all incoming.