Hi @mrte
So if I understand correctly, you want to connect your three Unifi AP’s to a non-managed switch which then connects them to the Blue zone interface on IPFire and to have three different SSID’s on the AP’s. You can do that but the clients on the three SSID’s will not be separate once they are in IPFire.
The default setting for the Blue zone, once Blue Access is set, is access to the Red and Orange zones and also access to the IPFire WUI.
If you want to prevent access to the IPFire WUI from Blue see link.
You could then control the different clients via Firewall Rules based on their IP Addresses that you have provided from the Blue DHCP. So you could only allow the IOT clients to access the Red (Internet) and nothing else and specific trusted clients could have a rule to access services on Green from Blue using the principle of DMZ pinholes but adjusting for access from Blue to Green.
However, all your clients will be in the same subnet and hence not separated.
As @anon65703081 mentioned this separation would usually be done via VLAN ID’s and managed switches. On IPFire you can only set up one VLAN ID per zone so that would be one ssid per zone if using VLANs.
I am doing the same as @anon65703081 using AP’s with two SSID’s, one of which goes to Green for access for myself to all services and the other to Blue for guests. The two SSID’s have different VLAN IDs which are sent to the different IPFire zones via managed switches.
I don’t believe that the full separation of the different SSID’s as you describe can be done with IPFire