Just had a play with this and posted a pull request for a few code tidy/fix-ups - @marcelloc, have a look.
1) I assume that all wireless is secured by good passwords/keys - so only authorised users connect to your wireless, and that all your authorised users (on wireless and cabled) have hardware and network configs that are under your control (or you really do trust them not to hack) - e.g. they are all getting DHCP from your pfSense and maybe are even given static IPs based on their MAC address.
Now, if someone carries in a box of their own, plugs it onto your network (attaches a cable to a spare wall socket...) then they can make their box be any MAC address and any IP address. The DHCP server will never get asked for an address.
If they just pick an unused IP address in your subnet, then ipguard will make life hell for them.
If they try to pretend to be one of your devices by just setting their IP to match one of yours then ipguard will also give them hell - but they might also cause some annoyance to the real device until they are tracked down and removed.
If they set their MAC address and IP address to match your real device, then nothing on an ordinary switched LAN can tell the difference.
To fix that, you need managed switches that know which MAC address is allowed to be on the end of each port. And obviously physically secure the ports of things you care about - otherwise someone walks into an unattended office, unplugs some critical device, plugs in their own and imitates it. Yes - in places that want high security, this is done for every switch port, unused ones are disables, every time someone moves a device to another room they have to patch it through to the same switch port or get the switch config changed.
In the end, you have to first have physical security.