Help configuring limited access LAN for IoT devices

I'm using an Archer C7 has my primary home router/gateway, and would like to set up a separate VLAN or similar for some IoT devices (security cameras, chromecast audio devices, etc.) My main requirement is that I would like regular wired/wireless LAN clients (like my laptop or home media server) to be able to reach those devices, but I don't want those devices to be able to reach any arbitrary client on my LAN, nor do I want those clients to be able to reach the Internet.

My initial approach was to add a new interface (called NO_INET), bridge it to my LAN interface but not my WAN interface (using the "bridge across multiple adapters" option so I can hook the wired and wireless adapters), and then make a new NO_INET firewall zone forwarded to the LAN with INPUT/OUTPUT/FORWARD all set to yes (figuring this would let the IoT devices reach my regular LAN devices, but I'd figure out how to fix that later). Instead, what seemed to happen is that all of my local LAN traffic got routed into that interface, and because that interface had no WAN connection, the internet stopped working in the house.

I've since reverted that setup but have been left scratching my head about the best way to go about this. Any suggestions/advice would be appreciated. Thanks!

Roughly (haven't tried it) it should work like this in LuCi:

You need to create a new network interface "IoT"

In the "physical settings" of that IoT network interface, your IoT VLAN port must be checkmarked under "interface". (But dont checkmark your regular LAN switch here)

then you need to put that "IoT" network interface into a new firewall zone "IoTzone"

then you would add firewall forward rules between the "LAN" zone and the newly created "IoTzone":

  • You might want your LAN zone devices to initiate connections, then in the "General settings" of your LAN firewall zone under "Inter-Zone forwarding", you would checkmark "Allow forward to destination zone: IoTzone"
  • if you also want your IoT devices to initiate connections to devices in the LAN zone, then add the same vice versa in "general settings" of your IoT zone -> LAN zone

I think then you still need a firewall "traffic rule" something like "any port, any IP" in "IoTzone" to "any port, any IP" in "LAN" zone and vice persa (depending on your needs).

Edit: and your IoT network interface probably needs DHCP configured and you need to use a different subnet config for this DHCP. if e.g. your LAN uses /,
then your IoT needs e.g. to use /