Unfortunately, ASUS doesn't make it easy to properly support an IOT network. You're forced to use a guest network, which isn't ideal. For one thing, it doesn't provide wired support. And intranet access is an all or nothing choice; there's no granularity. Even the isolation it provides is NOT complete; what few people realize is that only TCP and ICMP (except for the router) are blocked; UDP and any other protocols are fair game. And at least on my RT-AC68U, guest #1 doesn't provide any isolation at all! Due to the mess ASUS made of guest networks to support AiMesh, it denies me access to guest #1 unless I have intranet access enabled.
Frankly, even within the definition of IOT (which is pretty loosely defined as it is), there are different sub-classifications of IOT. For example, there are devices that need absolutely NO access from any other local networks. But there are other devices that might occasionally need it (e.g., a smart TV w/ Chromecast). In this latter case, you still want to be able to "reach out" to that device for casting purposes. That's why a "one size fits all" solution based on the ASUS definition of a guest network is inadequate (at least for me).
To put it bluntly, the firmware was simply never designed to handle guest networks except exactly as ASUS defines it. And any other usage tends to come up short in important ways. It's one of the reasons I do NOT use ASUS OEM/Merlin for my primary router (I use it for other purposes, and for my other customers, but just not for me as my primary router). I use either FT (FreshTomato) or DD-WRT (but like any third-party firmware, they have their own advantages and disadvantages). These allow me to create additional networks (wired and/or wireless) to meet my own specific requirements.
Given all that, and assuming you want/need to stick w/ Merlin, I suggest using a secondary router daisy-chained behind the primary router, one which supports FT. The rationale for that suggestion is explained (by me) in the following link.
First: My apologies if this has already been discussed. I honestly searched the threads. Like many, I created a guest network for all of my iot devices, with the access intranet disabled. However, I'm wondering if this is more trouble than it's worth. Several of my iot devices need to...
www.snbforums.com
It's a good compromise between maintaining what you have and otherwise like, while still being able to *properly* configure your IOT network(s) to meet your specific requirements.