A lock smith once asked me what a lock does?
!?
He told me “A lock keeps a honest man honest.”
WiFi is the same thing.
Sometimes lock is better than other.
All will fall to the one that wants in.
1 Like
So that did NOT work :
After some fiddling and testing it would seem that in order to use GROUPS when wanting access from BLUE to GREEN, this setting is working.
I will have to rewrite my “man” for this.
So why just not doing individual rules per device, that also works…
Well. Sure. I just thought it would be better to control device access without having to modify Firewall Rules every time. .
Monday morning, I feel I need to recap this, perhaps even material for an entry in the IPFire Wiki.
What did I want to achieve?
Deny access to internal network resources, like file shares, to some less trusted wireless devices, IoT sensors and hubs among them.
While doing that, making sure some other Wireless devices KEPT that same access.
How?
Since I did not have a Blue Wifi setup yet, I added that to IPFire, with its own IP span. Connecting all Wifi devices to that, via NIC and Wifi Access Points. Then creating rules that would allow some trusted devices through from the BLUE Wifi network in to the GREEN. That was actually the fiddliest part, and most of my screenshots above is to illustrate that. Pinhole access.
Using Groups to gather all the trusted devices is a lot more efficient that adding a separate pinhole rule for each device, so that was big part of the fiddling.
A severe challenge is the matter of randomizing MAC addresses that some devices, like smartphones and tablets, have. Even Windows. It is directed towards improving network security, but you can not create a pinhole rule with a randomized MAC address function, Not that I am aware of anyway.
A few days later, as I type this, everything is working as intended. One needs to keep an updated access document and disabling the annoying rand mac function on any new devices, but that comes with the job.
@sec-con Two comments. One, I think you can safely disable the filtering based on the ethernet addresses, at this point the juice is not worth the squeeze. This next statement might be controversial, but from my point of view it has become just security placebo.
Two, there is another approach you could consider to achieve your goals instead of opening a group level pinhole, using a VPN inside your LAN. I did it with both OpenVPN and IPSec and in both cases, not only you encrypt the communication with single user certificates but you change the IP (in the green range for IPSec and in another sub-net for OpenVPN) and therefore acquire high granularity in the privileges of the users.
Yeah, well there is only 3 users involved… unless I include the dog and the cat. 
All in all, your solution might be something to look for if implementing on networks with a greater amount of users and devices, I have only about 16 IoT devices and a couple of smartphones and laptops I wanted to exclude and shut out of my lan.