Going by the rules above, the only traffic that should be allowed to access the tfsi subnet is the IPs 192.168.0.11 & .22 & .33. However when both rules are enabled as they are, all traffic is blocked to tfsi from everywhere. If I change the source zone in the "Block all TFSI" rule to "lan" the rules then work as expected. Why is this? I'd rather have it that just those 3 IPs from lan are allowed to access tfsi but everything else is blocked.
The problem is the scoping. Rules with „any zone“ as source will be processed earlier in the hierarchy than rules with a specific source zone, regardless of the config order. Try changing the accept rule source to „any zone“ as well, the source ip limitation should be sufficient.