Thank you!
I created some acl rules.
I only allowed the macs of the 4 machines that had to pass to my lan, then dropped everything.
it works!
Can I improve the rules further?
0 ;;; consent NVR1
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:20:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
1 ;;; consent NVR2
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:14:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
2 ;;; consent NVR3
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=E4:24:6C:FF:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
3 ;;; consent NVR4
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=C0:39:5A:AC:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
4 ;;; drop all
table=ingress invert-match=no src-ports=sfp9 custom-fields="" action=drop attack-filter-bypass=no ingress-vlan-filter-bypass=no
egress-vlan-filter-bypass=no isolation-filter-bypass=no