pfSense

I've read the gdoc..but i would propose to reject this issue

But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.

DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.

If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.

Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)

Hi Jim,

This network is for my house and my needs are as follows:
- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces
- Add IoTs to a dedicated LAN
- Not allow IoTs to get on Guest LAN

What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?
I am not a network professional and will appreciate any pointers if there are better ways of doing above things.

Regards.

Post on the forum. This is not a site for that kind of discussion.

Hi Jim,

Just wanted to post a closure as other non-networking folks may get the same idea!

I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with VLAN. Totally understand (now) what you said in your comment above.

Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.

Have a great 2021!

Regards.