I keep my IoT stuff to a minimum and only run ones that can operate locally (mostly Tasmota-based smart bulbs and outlets) , but they still get a dedicated virtual AP/SSID with station isolation enabled. That SSID is tied to a locked down VLAN with no outside access or DNS.
The only thing that they can reach from that VLAN is the MQTT server which links them to HomeAssistant.
I keep my IoT stuff to a minimum and only run ones that can operate locally (mostly Tasmota-based smart bulbs and outlets) , but they still get a dedicated virtual AP/SSID with station isolation enabled. That SSID is tied to a locked down VLAN with no outside access or DNS.
The only thing that they can reach from that VLAN is the MQTT server which links them to HomeAssistant.