Let me get straight to your questions: 1) Yes, by default everything is allowed on MX 2) Have you bound the group config to the correct VLAN interface? In a nutshell and giving a sneak preview for question 4: you don't need a source here because the source is the VLAN the group policy is bound to. This has to be taken care of in the firewall ruleset 3) If you want to prevent your Wifi devices (from the Wifi VLAN) to everything else, you will have to have sereal "Deny" statements (or use a supernet if possible). Otherwise, the policy looks rather fine 4) As said above: if you're using group policies only, there will be no "Source" column. If you need to specify specific source IPs, you would rather use the "global" firewall ruleset (Security & SD-WAN -> Firewall). Hope that helps...
... View more