Have you looked here? https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
what you will need to do is create a new VLAN, say VLAN 3, put one of your ports into that VLAN untagged, put your CPU port into the same VLAN tagged. then create a new interface called iot using eth0.3 as the physical interface.
put the iot network into a different firewall zone. allow forwarding from lan to iot but not vice versa.
if you need more info, post the network config