I set up a configuration with a guest LAN/WIFI using a separate interface with a VLAN id. My switch has dedicated guest ports (untagged with pvid=guest vlan id), and I have a Wifi AP which has a separate SSID for the guest vlan.
In the firewall, I defined an alias for "all local IP addresses", and made a firewall rule:
- Pass from "Guest net" to "! Local IPs"
From my understanding, that would allow guests to access any IP address outside my home network. They still can see each other because the switch doesn't block traffic (it never gets to the firewall for rule checking), but I can live with that.
What is curious: On the wired guest network, I had internet connection. On the guest Wifi I did not. Then I added a rule
- Pass from "guest net" to "this firewall"
Suddenly, my guest wifi has internet access.
Can you make any sense of it?
Can I at least partially restrict the rule (e.g. only opening certain ports)?