Move IoT Network on second (dumb?) AP

Hey guys,

I think my problem should be one of the more discussed in this forum but I can't find a fix for it.

My current setup is Archer C2v3 and I already have set up a IoT network with a WiFi network using a custom interface with firewall rules. It seems to work fine. Well kind of because I run a second 2.4GHz network on the same Wifi-Adapter and I think some of my devices (on both Wifis) sometimes drop out of connection because of this (please correct me on this if you think this is not a problem!)

As I recently got my hands on a spare WiFi router I could use (Archer C50v1) I thought I might move the IoT network AP on this device. It is connected on LAN 4 of the main router.
Basicly everything I want to achieve is:

  • Normal network with my Home Assistant/MQTT Broker/... controlling my IoT devices is on
  • every connection on the second router (LAN or Wifi doesn't matter) is moved to the IoT-Interface group and gets an IP in Range of
  • Devices from the IoT range do not get access to WAN nor to the default subnet with the exeption of one IP

As I already said the interface, firewall rules and exeption are already configured.

Here is what I thought what to do now (but it didn't work):

  • add a VLAN entry on the main router with "tagged" on eth0 and "untagged" on LAN 4
  • in the IoT interface add the VLAN (eth0.3) as device
  • follow this tutorial for a dumb AP for the secondary router. All IPs are substituded with 172.16.0.x for me

I tried to some minor modification on both routers.
In many cases my secondary router does not get any IP when I just put the Ethernet cable from the main router into one of the LAN ports.
When not disabling the WAN interfaces and using the WAN Port it gets an IP but I can't ping my home assistant from the IoT subnet, even when explicitly allowing all traffic from LAN to WAN and WAN to LAN in firewall settings.

I currently don't know what to do anymore. It shouldn't be that hard, right?

There isn't really a yes-or-no answer to this question.

That behaviour should not happen(, but obviously could, in practice - bad driver/firmware/hardware).

In theory, in a perfect environment (no interference, no neighbours), using a dedicated radio (respectively an additional AP) for the IoT network would be the best solution, just to retain full speed for the main network, to keep low-speed devices from hogging the frequencies.

In practice, considering that most IoT devices come with (lowest-end-) 1x1 802.11n 2.4 GHz radios and taking your environment (your neighbours and their APs) into account, combined with the problem that there are only three independent channels available in the 2.4 GHz band, "wasting" frequencies for a dedicated IoT network might be more harmful than sharing the main 2.4 GHz radio for both purposes (after all devices that want performance, should prefer your 5 GHz AP anyways).

That is usually following best practices, keeping the policy decisions (inter-zone firewalling) to the main router and keeping the dedicated APs rather 'dumb', just following the lead of the main router.

Problem is - it isn't working.
But it seems like it should work, right? Then I maybe will just try it again.
Thanks for the kind explanation!