For this entry, it is specifically 'Outgoing IP Filtering' under the 'Security' menu item, and only for isolating your "Internet of Things" network further. It is also under the assumption that you have determined where your IoT device(s) "phone home" on the Internet like I have. There is some preliminary work we are going to do on pfSense first, then we will return to the modem for the IP filtering settings.
Remember that the default behavior of your IoT Wireless Access Point is to not filter any outbound traffic. It will be easiest to limit all but a few specific ports from within pfSense. Log-in, and navigate to the 'Firewall' menu, then to 'Aliases'. Create the appropriate aliases under the 'IP' section for the IP addresses of your IoT WAP (and guest WAP if necessary) and entries of where your IoT "phone home".
Next, create the rule(s) for the traffic that is coming from the "Internet of Things" Wireless Access Point to your DMZ interface of the firewall. Here I am only allowing HTTPS (TCP port 443) to come from my "IoT_IP" "WAN" address when it authenticates to the DMZ interface, and that traffic is only allowed to go to the "Honeywell" addresses in the "Honeywell" alias. Save your changes.
On the modem, under the 'Security' menu item we will select 'Outgoing IP Filtering'. You would have a range of 'Source IP address(scope)' that includes all of the other possible LAN IP addresses with the exception of your IoT device. In this example, my Honeywell thermostat would be on a reserved address of 192.168.100.6 (which is the last usable address of that subnet). We are limiting only the IoT device to be a source of HTTPS requests (other possible devices on IP addresses of that LAN would have that port blocked).
We had also used the ability to filter our wireless by MAC address, but there is even a way to limit a DHCP address from being assigned to a system wired to the modem unless it is plugged into a particular port. In this scenario, you are occasionally maintaining the IoT WAP, and plugging into a specific port with your system set to obtain an IP address automatically (via DHCP). You do want security (you could turn off DHCP for all of the wired ports if the IoT WAP was in an unsecured area, and require yourself to set an obscure IP address in order to access the WAP), but don't make things overly hard for yourself.
This is under the primary 'LAN' settings, then click on the 'DHCP Advance Setup' button. Notice that the "eth3" entry is removed since we are using it for our "WAN" connection. "wl0" is for the wireless network, and the entries below it are the optional "guest" wireless networks that should never be enabled. I will only receive an IP address from the modem if I plug into the first Ethernet port.
Hopefully this series has been helpful in setting up an isolated IoT network. I like the VisionNet M505N modems for re-purposing them as Wireless Access Points because they have so many useful features to their configuration. Please stay tuned as we continue with other topics.