Separated network for smarthome/IoT devices - Is a little modified Guest network enough?

[MightyDuck]

Hi there!

I have an Asus RT-AC68U which have asusuwrt-merlin on it, and have some IoT devices (led-strip controller, air consitioneer, etc, amazon echo, harmony hub, connected all via 2.4GHz wifi) and computers/nas/smartphones (connected via ethernet and 5GHz wifi), and now I will install an Access point (Netgear wac124) instead of my non-smart switch.
What would be the easiest way to make my network a little more secure?

The smarthome devices need to see the internet and each other, but they musn’t see the main devices.

The computers need to access the internet, each other AND should see the smarthome devices (to keep their apps working on local network).

I have a developer a background, I love my IT, but iptables is just outside my knowledge. :/
I’ve looked around here and there and found two ideas.

• Try it with guest network (which is basicly a pre-setuped vlan to my understanding), but I’m not sure if they can see each other AND the main devices can see them too. Maybe it would need just an additional iptable rule
  
• Manually set up 2 vlan (and leave the guest channel to the real guests)

(Half of the ethernet connected devices connected directly to the router, the others to the switch/AP, so double NAT wouldn’t be viable since there the nas only connects to the router, and rewiring not an option.)
Since I’m not familiar with iptables thus the second idea would fit my knowledge better, but I wiuld need some help in that too. If only the first point would fit the requirements then I would need a little more help.

Thanks for any advice!

 

[Val D.]

Thanks for any advice!

Some things are not very clear for me:

- How a computer will see IoT devices but the IoT devices won't see the computer? If they need to communicate, use some local running apps, etc. the communication should be going both ways, no? Dedicate one computer for IoT only and connect it to the same Guest Network with no access to your main devices. Let them do their IoT thing isolated from your main network.

- You are concerned about security, but forgetting about your privacy. Someone not your relative in China (for example) knows and keeps logs (possibly) when you use your lights, A/C, smart plugs, etc. in other words when you are home and what you are approximately doing. You even voluntarily installed an Amazon microphone inside your home, listening 24/7 to your conversations.

 

[Val D.]

really?

Don't be surprised if you start getting adds for something you talked about with your wife. It may phone home when you say other things too. Google devices are actually more advanced, some don't even tell the customers about the built-in microphone:
https://www.popularmechanics.com/technology/security/a26448907/google-nest-hidden-microphone/

 

[MightyDuck]

Some things are not very clear for me:

- How a computer will see IoT devices but the IoT devices won't see the computer? If they need to communicate, use some local running apps, etc. the communication should be going both ways, no? Dedicate one computer for IoT only and connect it to the same Guest Network with no access to your main devices. Let them do their IoT thing isolated from your main network.

In firewalls (ip-ep/tables) you can set up which side can start new connections. So I can control them, but they cant start new connections.
And since almost all IoT-device can be controlled from smartphone, thus a single iot-dedicated computer wont do any good, since if my smartphone are on the iot-network, I cant see my own devices.