We have a spare guest room and it has a cat6 ethernet port connected to the patch panel.
I want to set up a guest network here that cannot access anything on Green.
After reading various posts, it seems that creating a Blue network and connecting it to an Access Point (via the patch panel) is the way to go. By default, IPFire protects the Green from the Blue and it protects the Blue from the internet with the existing Rules, Blocklists, etc.
That is indeed the case; my guest room had an extra cat6 connection to my patch panel, and I connected that to the Blue NIC on my IPF, and that is where my AP is connected now; I turned on DHCP on Blue, then under Firewall > blue access, you still need to allow access to the internet on a device by device basis, unless you create a rule that will grant access to any device that connects to the Wi-Fi. They will be separate from Green, but you can access them from green to blue if needed.