Hey, friends. Got a bit of an interesting use case here, and am hoping someone can help me figure out the appropriate rule(s).

tl;dr - how can I block known devices from everything if they connect to a different vlan?

Background:

I have a FWG . Very happy with it.

Have created a User for each of my children and assigned each of their devices to a Group accordingly. Using Family Protect and have also created a rule per child which blocks all internet access from an hour before bedtime until breakfast the next day.

A separate rule per kid for staggered bedtimes. Devices include things like iPads, fire sticks in bedrooms and the oldest has an iPhone.

The FWG is connected to a cheap Chinese managed switch and all household / family stuff is on a flat network (vlan 1).

We have a guest network (vlan 66) which is set as a sub-interface on the Firewalla and trunked from the switch as tagged traffic.

Ruckus Unleashed APs assign the tag to guest devices when they join the SSID we share. Guest rules in the Firewalla throttle internet speed and prevent access to our family / household devices.

Now, My eldest child has the guest WiFi details to give to friends when they come over - how do I set things so that she can’t use it herself? I’m fed up of “Dad, I can’t print”, “Dad, the internet is shit”, “Dad, why don’t my lights work?”, etc. demands when she’s connected to the wrong network.

Essentially, I want to set things such that if a family device connects to the guest network it is treated like the quarantine setup and completely black-holed - but I don’t want to set the built-in Quarantine option as non-family devices should connect (subject to the rules set) without any admin intervention from me. And mac-randomisation is a bitch.

I’ve had a good poke around in the settings and scratched my head trying to figure this out - has anyone done similar? Any pointers?

Thanks!