Dear OpenWrt users,
I would like to create a LAN, Guest, IoT network separation on the same SSID. Is it possible? I guess based on the MAC address I could make the separation. Could you help me with this? Are there any guides, which do the same?
Thank you!
The easy (and only reasonable) answer is no, you can't.
All devices sharing the same ESSID are inside a single L2 network, ethernet is a p2p network and every peer can talk any peer within the same broadcast domain.
The sensible solution would be not giving untrusted devices access to the main network/ ESSID, but to segregate networks and route between them (with your desired firewall policies).
Yes, there are more complex answer available for a subset of environment, but those are rarely sensible.
You can create vlans for each subnet, then create 3 SSID's with the same name and attach a different vlan to each with it's own password, when you connect just use the password you set for each network, e.g. guest and the devices will connect to its respective network. just forget the network from the device if you want to switch networks.
There are multiple ways to kind of solve your problem, but as slh pointed out, they will neither be elegant nor a whole lot stable.
I had the same problem where multiple Essids was not an option so I dabbled with various options starting from dynamic vlans with radius to ppsks with config files. Eventually I settled on ppsk with radius. This allows me to move devices across vlans through radius auth file without having to modify wifi configurations on the device itself.
If you could share your requirements, perhaps I can share a couple of configs and how-tos suiting your particular requirements.
Thank you for your answers! To be honest, creating an IoT SSID is not a problem, but for the LAN... I am afraid of the following usecase: if someone comes over, I am sure my wife will share our LAN SSID with password. Maybe I should create separate LAN for my wife... 
Or make a guest and/or IoT network and put some QR codes around the house so that your wife and your guests can easily scan and join.