I don't know yet how useful this forum will be, but I'm submitting this question here because you did a nice piece expanding on Steve Gibson's three-router security solution at

https://www.pcper.com/reviews/Genera...IOT-Insecurity

I get that any malicious device that gains access to the LAN can listen to everything that goes by via the Ethernet protocol. I presume, however, that this device cannot communicate beyond the LAN unless it has a valid LAN IP address. I see two ways that this might be made more difficult:

1) One might limit the address range of the LAN (through the router's DHCP page) and then assign all available IP addresses to MAC addresses via DHCP reservations. Does this actually work (assuming that the interloper doesn't spoof its MAC addresses to match one of the existing allowed devices), or can a interloper simply duplicate the IP address of a permitted (active and/or detached) device and communicate over that?

2) One might set up MAC address filtering to prevent any but listed devices from obtaining IP addresses (assuming that they don't spoof their MAC addresses to match one of the existing allowed devices). Does this work?

2a) Corollary to (2): I assume that the MAC address filter does not prevent the interloper from gaining access to the Ethernet, hence listening to the traffic, but only prevents assignment of an IP address. Correct, or is it more effective than that?

Any information or references would be much appreciated! -- jclarkw