Captive Portal Pass-through MAC does not allow incoming connections.
In order to avoid assigning static IPs to computers to let them through the firewall without logging in, we assign Pass-through MAC address exceptions for each one. The problem is no external requests can reach them and there's no "to/from" option as in "Allowed IP addresses". This forces us to assign a static IPs to each computer and add a "to" rule for that IP in the "Allowed IP addresses". Pass-through MAC address exception should either allow incoming connections as well or have "to/from" options.
We have an internal IIS server which is port forwarded from the outside. With a captive portal MAC address exception it can't be accessed. Only with both "To" and "From" IP address exceptions can it be accessed.