When I plug a device into a LAN ethernet port, it can communicate with other LAN ethernet devices and with wifi clients (even if isolated). I would like my LAN ethernet devices to only be able to communicate with the WAN.
I have 4 LAN ethernet ports. An possible (brute force) solution would be to create 4 new vlans, corresponding to each LAN port. I then create 4 new firewall zones so that each vlan has a separate zone.
Is there a simpler way, possibly just using vlans?
OK...WiFi isolation should work when enabled; but Ethernet isolation may be more of a task. WiFi isolation may be failing if you've somehow accidentally configured a route, mangling, etc. on the WiFi.
On Ethernet, likely not an easier way, VLANs would work.
It looks like I need to create a new interface for each of the vlans, and also create a separate dhcp server for each ethernet port. Is there any way to share one dhcp pool?
Also, interestingly I seem to need to make a "bridge" over my single ethernet port in order for it to work. That does not seem to be needed when creating a new (separate) wifi ssid interface.
Is you do go this route, you do not need a bridge here: just add all your wired VLAN interfaces to the same firewall zone and disable forwarding between interfaces in the zone.
The bridge is primarily for LuCI and OpenWrt firewall config. As noted, if you're hand-configuring, it is not needed. netifd does this "magically" when you define and bring up a new SSID (often adding it to an existing bridge).
You do need 4 vlans then connect them to the IoT network by software. If you don't have a separate VLAN for each port the hardware switch will allow them to link to each other.