How to single out a device in the guest network from upstream pfsense firewall

My OpenWRT AP is connected to an upstream pfSense firewall that also does all the LAN routing.

I followed the Guest Network on Dumb AP tutorial here and it works great.

However, I ran into a new use case where I would like to limit a device that logs onto the guest network to only be able to visit a few select IP addresses.

I guess I could bind a local IP in the guest network to that device (my Kobo reader) a write a few rules in the "LuCI firewall". But I would prefer keeping all my firewall rules in my pfSense firewall. Problem is: outgoing connections from the Kobo reader and other devices on the OpenWRT guest network all seem to be coming from the OpenWRT local IP address in my LAN subnet. Not from their individual guest subnet IP addresses.

Is there any way I can match traffic from the Kobo reader on the guest network when writing rules in pfSense?