MacOS – How to prevent internet access to specific clients

Set up your server as an internal gateway similar to the network configuration in this question:

Router <-- ethernet (or Wi-Fi) --> Server <-- ethernet --> switch <-> internal network

Then adjust all settings as outlined in my answer there:

I assume the following IP-adresses/netmasks:

Router: 192.168.0.1/24
Server: en0: 192.168.0.2/24 gateway 192.168.0.1 en1: 192.168.1.2/24
Internal network: 192.168.1.0/24

1. First you have to enable forwarding on your server computer with following commands:

   sudo sysctl -w net.inet.ip.forwarding=1
   sudo sysctl -w net.inet.ip.fw.enable=1
   

2. In order to do NAT you have to create a pfctl rule. Create a file called "nat-rules" with the following content:

   nat on en0 from en1 to any -> (en0)
   

3. Save the file and now start pfctl using the rule from the file we have created earlier:

   sudo pfctl -d #disables pfctl
   sudo pfctl -F all #flushes all pfctl rules
   sudo pfctl -f /Path/to/file/nat-rules -e #starts pfctl and loads the rules from the nat-rules file
   

4. Now configure a static route on your router:

   192.168.1.0/24 (the internal network) -> 192.168.0.2 (server IP-address of the external interface connected to the router)

5. Enable the DHCP-service on your server:

   • Name: choose a name
   • Network Interface: en1
   • Starting IP address: 192.168.1.10
   • Ending IP address: 192.168.1.100
   • Subnet Netmask: 255.255.255.0
   • Router: 192.168.1.2
   • DNS: some or your DNS-server (e.g. 8.8.8.8 or 192.168.1.2)

6. Now use pfctl to add rules or get a pfctl-GUI like IceFloor or Murus to configure your firewall. Both apps should also allow you to enable NAT (step 2/3). You may define two different rulesets: one which only allows your computer to access the internet from the internal network and a different one which doesn't restrict internet access.