Excelllent. I added a feature request for it: https://redmine.pfsense.org/issues/14050

There are two Netgate devices that have a port marked 'LAN4'. In the 2100 that is part of the switch that is connected to the LAN interface by default and no additional config is required to use it.
In the 6100 that is a discrete NIC and not enabled by default. There you would have to enable the interface and set a firewall rule on it at a minimum to use it.

Steve

Yes you could use pools in one subnet and filter them differently using aliases but you can't filter traffic between the clients on one subnet that way. Traffic would just go between them directly without passing through pfSense. Only one interface.
Really you need to use VLANs in there to separate the traffic at layer 2.

Steve

@virgiliomi Thanks. That's a really helpful answer. I appreciate it.

The interface used by the firewall to originate this OpenVPN client connection
so typically this would be WAN.
In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

-Rico