Block all but specific destination port

first of all, excuse me for poor network knowledge,

On a Netgear GS108TV3 (with OpenWrt 22.03) used as simple local switch (no wan, only lan),
I want that through a specific Netgear phisical network device (eg: lan3) will pass all but the packets with a specific destination port (eg: port 20000).
And I want that through another specific Netgear phisical network device (eg: lan4) will pass nothing but packets with a specific destination port (eg: port 30000).

I've made some test without success but I think I have to work with frewall zone/rules.
I want to work on LuCI.
Only if necessary I will work with VLANs, but if that will simplify the 'concepts' let me change opinion!

Because my environment is very simple:
Devices in the network are in only one network class: 192.168.0.0/24 (I've set OpenWrt configuration port 192.168.0.1/24).
All devices have to tx/rx all (the initial OpenWrt default bridge mode) except for a specific device that I don't want to receive a data stream originated from another device. Of this data stream I know source IP, destination port and it have a multicast destination type.
More I have a device of wich I want to allow only one port for transmission and only one port for receiving.

Thanks in advance for help.

Pietro

You can’t control traffic between devices inside a single zone with a single interface.

So you must separate the destination device to its own interface.
But you can have both these interfaces inside a single fw zone and set zone forward to reject and control your desired allowed data traffic with a standard forward allowed firewall rule.

Thanks for answer,

some steps acheived but no success yet.
Saying that, respect to the OpenWrt installation starting default, I only had set 'lan' interface as static address 192.168.0.1 and 255.255.255.0 netmask so to reach LuCI interface from my 192.168.0.0/24 pc,

First step> separate destination device acheived (I think correctly):
taking ideas from https://rene.seindal.dk/2024/06/10/openwrt-and-dmz/

Removed from Bridge device (switch) the lan3 Network device
Created an Interface with static address 192.168.0.3/24 and added lan3 Network device to it.
With these settings I can see that the two interfaces live separated. As expected.

Then gone to Firewall and set 'lan' zone covered networks: lan + my new created interface and set 'accept' in 'Forward'.
With this I expected my pc will ping another pc in 192.168.0.0/24 network class plugged on another switch port. But no.

I made some other tries on firewall rules but nothing.

What next? Previous steps are correct?
I have one doubt: 'lan' interface has 'switch.1' as device but is 'switch' device that is the Bridge device and collect lan1 + lan2 + .. + lan8.

The second network you create must use a different network numbering scheme.