Short answer: yes, you need to enforce your policy at the switch level.
Long answer follows.
Isolating hosts within the BLUE network in IPFire (or any similar network segment designated for wireless or less trusted devices) is possible because the capabilities of the wireless access point or the wireless controller managing the network.
Many wireless access points have a feature known as “client isolation,” “AP isolation,” or “station isolation.” This feature prevents wireless clients (devices connected to the WAP) from communicating directly with each other over the wireless network. Instead, all traffic must go through the access point, which can then enforce policies to restrict direct client-to-client communication. Since all wireless clients communicate through the access point, it’s easier to enforce isolation at this central point.
To achieve the isolation of hosts within the same network segment of a wired subnet, you would typically use features available at the switch level. In other words, you would need a managed switch that supports special features, some of which are listed below.
Some managed switches support Private VLANs, a feature that allows you to isolate devices within the same VLAN. In a PVLAN setup, devices can be configured in such a way that they can communicate with a designated uplink (like a router or firewall) but not with each other. This is commonly used in environments like hotels or apartment buildings to prevent guests from accessing each other’s devices.
Some advanced switches offer ACL capabilities, allowing you to define rules that govern the traffic between different ports on the switch. By setting up ACLs, you can specify that certain devices (or ports) are not allowed to communicate with each other.
Similar to PVLANs, port isolation (or private VLAN edge) is a feature on some switches that isolates traffic between ports within the same VLAN. Each port in an isolated VLAN can only communicate with uplink ports.
Finally, If you have a Layer 3 switch (a switch with routing capabilities), you can segment your network into different subnets and then use ACLs or routing rules to control traffic between these subnets.