Bizarre, but it's by design. Security Groups, VMs, etc., are just the logical objects within vCenter/NSX Manager. When you configure a firewall rule, NSX Manager evaluates the objects and send firewall rules down based on IPs. So if you have multiple VMs with the same IP, they will all match the rule.
To avoid that, you need to use Applied To field in your DFW rule to make sure that the rule is sent only to applicable VMs. So if you have two sets of VMs with overlapping address ranges, one set running on cluster1 and the other on cluster2 and you want to apply the rule only to VMs on cluster1, use cluster1 in Applied To field.
I have had it confirmed by the nsx and hcx teams this is by design and using VM objects in the NSX may result in not all the IP addresses being detected. as a work around you need to create IPset with the private ips for it to register the rules correctly. It would appear everyone else just uses the exclusion list which is a pain for each upgrade and is a lazy way of doing things.
Security Tags, Groups, VM objects etc all do not work, you need to use IPSet for duplicate private only.
That's two separate issues. If your IPs are not detected by VMware Tools, did you try to enable ARP Snooping?
ARP Snooping already enabled and nothing to do with VMware tools. NSX engineer confirmed the same issue in the labs and have it escalated as to why the Security Group , Tags do not work with HCX and private ip ranges that are duplicate.
This is only HCX i have never had any issues with any other VM or device throughout NSX's history