Unknown MAC forced to Captive Portal

I am running IPFire on an ATOM D510 as my core router and firewall.

I also have 2 SOHO routers with stock firmware (linksys r6400, tp-link Archer A7) that are configured in AP mode and acting as a L2 switch for wired devices.

Every known and trusted device on my network has static DHCP Lease entries and some of these devices are wired to the different AP’s

I am considering enabling “Guest Mode” WiFi on the AP’s. I have both configured to isolate the Guest AP devices from my trusted network (each device provided an AP created /30 network iirc)

Is it possible to only direct Unknown MAC address traffic to the captive portal while leaving the trusted MACs (from static DHCP) untouched?

If there is a better process for this I am open to suggestions.

I am also considering OpenWRT firmware on both routers and working with VLAN’s and directing traffic that way if it seems to be the only solution.

Thank you.