IoT SSID for Chromecast and Canon MG6600?

So I was wanting to know how to configure an IOT "guest" network to isolate/firewall off IoT devices. Right now I only have a regular Chromecast hooked via Ethernet to my router, and a Canon MG6600. I'm not as worried about the Chromecast because it seems like it gets regular enough updates, but the MG6600 hasn't had an update for years and could have who knows what vulnerabilities.

Network is very simple:

Cable modem (no router)
TP-Link Archer C7v2
         | ------wifi MG6600
         | ------Chromecast ethernet
         | ------Wifi laptop 1
         | ------Wifi laptop 2
         | ------Wifi laptop 3
         | ------Wife's Android phone (Samsung S9)
         | ------My iPhone 12
         | ------Wifi iPad

Now I'm used to corporate networking where isolation is done using VLANs,but since it's all in the same device I don't really need it I think provided the firewall blocks it.

Ideas of how to do this:

  1. Separate SSID guest like network called "iot" that Canon and Chromecast connect to.
  2. Just create specific static IPs for Chromecast and Canon and create individual firewall rules
  3. Separate SSID on separate subnet.
  4. ???
  5. Profilt (sorry couldn't help myself)

Why am I doing this? Simple. Security. I don't trust both devices because they don't get regular updates (especially the printer), and I don't print enough to justify a newer printer.

I tried doing a separate VLAN/firewall rule using several threads and guest network guide, but it gets confusing. Eventually I got to where I firewalled myself from the Internet and router (SSH AND web interface were connection refused) and the wife wasn't happy either.

I am used to Linux but suck at iptables and honestly the GUI on OpenWRT is more comfortable for me. Also, it seems like the Chromecast requires some fancy protocol handling. Also, I'm thinking keeping all devices in same subnet (default because then I can print from my iPhone for example.

There isn't a clear guide that makes sense, and a requirement is getting printing/Chromecast to work, but not allowing those devices to see anything else in the network.

Thank you in advance

Hopefully this is ok, but bump? Even if you don't know how to get Chromecast/printer working, if you have successfully gotten the IoT network working ok I'd be curious to hear your thoughts.

It's not really clear what you're trying to do. To isolate the printer from the internet but still keep it available on the LAN, the only completely secure approach is a VLAN and routed access. But you'd probably be fine just putting in a firewall rule to block it. I'd just use its mac address, then you don't need to worry where it gets its IP from. Yes, mac spoofing is certainly a possibility, but it's a risk-balancing thing, if you're that worried, we're back to VLAN, and you've got some routing fun in front of you, possibly including having to configure and troubleshoot an mdns repeater.

Bear in mind if you run the Canon printer application suite on your PC/Mac, then it's all for nought anyway because that too is a trojan by definition, it'll span your firewall on behalf of the printer and happily update your Canon's firmware, doing nasty things like disabling third party cartridges, etc.

As for the Chromecast, you can either use it OR secure it: pick one. By design it wants total visibility to the devices which cast to it as well as pretty much untrammeled access to the internet. Don't like it, don't buy one. I have one, I've got it in a DMZ vlan, but it's one of the models that has Android TV and that's how I use it; I don't actually cast to it.

Thanks for the reply. I'm not sure if I want to block internet access or not, but let's say someone develops a hack that can exploit my printer, and right now they have free access to my network. Maybe a firewall to the internet makes sense and may do the same thing.

Maybe I'll do a firewall rule for the printer and forget the IoT network until I get more IoT devices, then those things can have their own subnet.