I think you might be making this more complicated than it needs to be.
Your pfSense firewall has multiple ports, put them to good use. You probably already have pfSense interfaces labeled as WAN and LAN, create another pfSense interface named IoT and hang all your IoT devices off that (dedicated switch or just a VLAN on existing switch, doesn’t really matter)
For bonus points,if you still have another free port on the pfSense firewall, this might be a good time for a DMZ interface as well.
This option does consume a few more Ethernet ports than the “firewall on a stick” method that uses VLAN trunking, but is a bit simpler to manage for homelabbers that are not networking experts.
Now you have “just another interface” on your existing pfSense firewall, so you can assign firewall rules to the IoT network, doing stuff like blocking outgoing connections to the internet, while still allowing connections initiated from the LAN to reach the IoT network.
Ansible is often used for heterogeneous network automation and control for large environments, but for homelab-sized environments, it might be more effort to maintain than just SSHing into your handful of devices.
https://docs.ansible.com/ansible/latest/network/index.html