Block access to group of hosts within BLUE

My Netgear WiFi router is set up as an AP, in Bridge mode. The router and two satellites are hosts in the BLUE network, together with all other WiFi devices. I want to block access from all other BLUE hosts to these three Netgear devices, to prevent a guest from accessing their Admin UI. Access to these devices should only be allowed from GREEN hosts and from the other Netgear devices, so that they can communicate with each other.

I have tried the following steps:

  1. Set up each Netgear device as a Host, in Firewall Groups. I have tried identifying them by MAC and by IP, it doesn’t change the result.
  2. Create the Netgear Host Group, containing the three hosts.
  3. Create three ACCEPT Firewall Rules, one for each Host above as Source, and with the Netgear Group as destination.
  4. Create one DROP Firewall Rule, with the BLUE standard network as Source, and with the Netgear Group as destination, with logging enabled.

I expected that other WiFi devices on BLUE would not be able to access the Netgear Admin UI, but they still can. Nothing appears on the Firewall Log.

Any advice? Thanks!


if the network traffic does not have to pass through IPFire (which is usually the case if source and destination are within the same subnet or zone), it cannot be filtered by the firewall - the machine simply does not observe the corresponding packets.

Thanks, and best regards,
Peter Müller