Mimicking IPFire Blue Zone in Opnsense

[blight]

Hi everyone

I am busy moving from an IPFire setup to Opnsense as it seems more active and has more functionality.
One thing that I am missing going through the setup is the ability to create a "Blue" Zone which in IPFire is the wireless zone. Basically it does the following:

Only allows clients "connectivity" if their MAC address has been added
Allows traffic from the Blue zone to the internet(WAN)  but not to the LAN zone unless specific rules are opened

Does anyone have any guide or reference to achieve this on an OPT interface in Opnsense?

Assistance is much appreciated

Regards
Brendon

[meyergru]

You could configure this as any additional (V)LAN, but instead of the "Allow Any->Any" rule for that interface, you could use a network group firewall alias consisting of MAC firewall aliases. Devices not in that list could still connect to other devices on the same WLAN unless client isolation is possible on your equipment.

Usually, access control is not the job of the firewall, but the network layer. You would usually do this with 802.1x and a FreeRadius database - if your WLAN equipment allows it. Some brands (e.g. Unifi) have MAC-based allow lists.