How to use Opnsense to block the traffic that my internet client using hotspot that other unauthorized device to access my network indirectly? Thanks!
I do not understand the question, because it can be read two ways:
1. It is a specific client you know which you want to block. In that case, create a floating block rule for the client's MAC in order to block it also if it uses IPv6 pricavy extension, where you cannot block based on IP.
2. You want to block any unknown client - in that case, you would have to create a list of all known MACs of any "authorized" client and allow only those.
That being said, you have to know that any client can and sometimes, for privacy reasons, will, use random MACs - some Android and iPhone smartphones do it per default. You can also fake MACs of existing "autorized" devices. Thus, any kind of MAC-based authorization scheme comes to a natural limit.
If the devices are connected via a hotspot, you can protect the network by using a strong WiFi password in the first place. Some hotspots also allow whitelists for MACs, BTW.
The only "secure" way of protecting your internal network for cabled connections is 802.1x with client certificates - but not all devices can do that and you need 802.1x-capable switches and an LDAP database (like FreeRADIUS).