Securing IoT network including Home Assistant server

Hi everybody. First of all, as I usually do, I present myself as a person that completely lacks knowledge and experience in IT/Networking topics. Nonetheless I'm very curious and want to save money doing things on my own.
My network's topology is as follows:
internet is provided through a FRITZ Box 7590 router (192.168.1.x).
Attached to the router, I have:

  • a power line that spreads the network throughout my home;
  • a TADO internet bridge
  • a TL-SG108E switch (with 2 NAS and one printer attached to it).

In another room (through a power line), I have a second TL-SG108E to which I connected 2 TVs and a TP-LINK Archer C7.
The latter, running OpenWrt 21.02.2, is acting as dumb AP with my "personal" 2.4 and 5 Ghz wireless networks plus a 2.4Ghz wireless guest network (192.168.2.x), created following this guide Guest Wi-Fi on a dumb wireless AP using LuCI.
Now, I bought a second hand HP t620 on which I installed Home Assistant and that I attached directly to the Archer C7 (LAN port 2).
What I'm trying to do now is to create another subnet (e.g. 192.168.y.x), on a dedicated VLAN, to which I'd like to connect the TADO internet bridge, the Home Assistant server and the other IoT wireless devices.
Searching the forum and google, I found several topics but the most interesting, on my opinion, seemed to be this one: Help requestet for setting up IoT VLAN.
What I understood is that I can create a new network interface to be linked both to a dedicated VLAN and to another dedicated wifi network for IoT devices so as I can reach my HA server, TADO bridge and IoT devices from the 192.168.1.x subnet, all the devices on 192.168.y.x subnet can talk to each other but none of them can reach any other subnet.

Finally (and sorry if I bothered whith such explanation), my questions are:

  1. did I understand well that this could be a good solution?
  2. I can understand the concept of the suggestions found in the above-named topic (post #6 by dlakelan) but, unfortunately I really don't know how to proceed materially to do it through LuCi, then can you help me in making these settings?
  3. do you suggest alternative and more effective solutions to reach the same goals?

Consider that I also have an old TD-W8970, with OpenWrt 19.07, on which I can make some tries.


Hello everybody. Can anyone help me explaining how to setup the firewall zones and related rules?