I've got a site-to-site VPN (IPSEC) set up from my 10.0.0.0/16 to remote 10.128.0.0/16
I want to block all traffic to my LAN over the IPsec connection, with the exception of the hosts that I allow. I would have thought this was quite easy but I've tried lots of things and it just seems to allow everything to traverse the link (which I guess is the permissive default)
This means if you want to block 10.0.0.0/16 --> 10.128.0.0/16 do it on the USG that has the 10.0.0.0/16 network(s). This will ensure you're not sending the traffic over the tunnel only to be blocked on the remote side.
Let me know if I can answer more questions about this for you.
Ok, remote is not a USG but rather pfSense (but that shouldn't matter?). I want to block on my side so that inbound traffic is dropped (ie from 10.128.x.x to 10.0.x.x) except for the machines I allow (I will create a group).
I don't have dynamic routing selected. Should I?
You dont have to use dynamic routing, but it does make it easier to configure and troubleshoot. Since you're wanting to block inbound traffic you'll need to change up the location of the rules a little.
Instead of placing rules on LAN_IN you should follow this guide that @ubnt_jaffe wrote for policy-based VPNs. https://community.ubnt.com/t5/UniFi-Routing-Switching/Block-VPN-traffic-into-LAN/m-p/2044180#M55762
If you switch to dynamic you should be able to block that inbound traffic on LAN_OUT instead.