Block traffic originating on Vyos system

Our Vyatta system is configured as follows:
2 IP addresses on eth0 - one for VPNs from technicians, the other for VPNs to customers. Call those IPTECH and IPCUST. They’re in the same subnet, and differ from each other only in the last digit.

Two other subnets are used for the VPNs - 1 for tech VPNs, and one for customer VPNs. The Tech VPNs all connect via IPTECH, while the customer VPNs connect via IPCUST. Call those VPNSUBTECH and VPNSUBCUST.

So each VPNSUBTECH address uses IPTECH as the local-host. Each VPNSUBCUST address uses IPCUST with a port unique to each VPNSUBCUST (i.e. IPCUST:5000 for VPNCUST #1, IPCUST:5001 for VPNSUBCUST#2, etc.)

We have firewalls which all start with “default drop”, and they work for filtering traffic between the technician and customer VPNs. This makes it easy to allow a specific subset of technicians for a given customer, since each technician VPN is hard-coded for a unique IP address in VPNSUBTECH.

BUT the firewalls don’t block traffic from IPCUST itself. If someone logs in to IPCUST with ssh, they can then connect to any customer VPN. Is this fixable with some firewall rule? Or does the OS not filter traffic which originates on the same interface as the one providing access to the VPNs? Is this an example of “don’t mix routing and firewalling”?