pfSense

ipfw supports masking MACs, sort of like a CIDR, and this could be a useful feature to allow, for example, all phones from a certain manufacturer to bypass the portal.

If you disable the MAC validation in the GUI and input, for example, 00:04:13:00:00:00/24 - ipfw accepts the input.

So this may be as simple as expanding the input validation to accommodate the masking, or adding a drop-down from 0-48 (maybe with steps by 4 or 8).

From ipfw(8)

     { MAC | mac } dst-mac src-mac
             Match packets with a given dst-mac and src-mac addresses, speci-
             fied as the any keyword (matching any MAC address), or six groups
             of hex digits separated by colons, and optionally followed by a
             mask indicating the significant bits.  The mask may be specified
             using either of the following methods:

             1.      A slash (/) followed by the number of significant bits.
                     For example, an address with 33 significant bits could be
                     specified as:

                           MAC 10:20:30:40:50:60/33 any

             2.      An ampersand (&) followed by a bitmask specified as six
                     groups of hex digits separated by colons.  For example,
                     an address in which the last 16 bits are significant
                     could be specified as:

                           MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any

                     Note that the ampersand character has a special meaning
                     in many shells and should generally be escaped.

             Note that the order of MAC addresses (destination first, source
             second) is the same as on the wire, but the opposite of the one
             used for IP addresses.