There are three ways to do this in total:
- (easiest) Create a unique SSID for the IoT devices. That SSID will be associated with an IoT network interface that allows internet access but not access to your main trusted lan.
- (medium difficulty) Setup a single SSID with different passphrases for each network. The password used will determine the VLAN to which the device is connected. Read up on that here.
- (most difficult, serious overkill for home): Setup a RADIUS server and use 802.1x authentication to direct devices to their respective VLANs.
You can follow the guest wifi guide which implements essentially the same thing in terms of an isolated network. This particular guide deals only with wifi -- do you have any IoT devices that need ethernet connectivity and/or multiple APs that need to broadcast the IoT SSID?
If you want to isolate wifi clients from each other, you can do this by adding option isolate '1' in the wifi interface stanza. This works on a single radio, but it won't entirely isolate everything if you have the IoT network spread across multiple wifi radios/APs and/or ethernet.
You can create firewall rules that allow/deny a list of devices (by MAC address or IP address). Depending on the granularity you need, the number of devices, and the details of your goal here, you can set this up in several different ways, including a unique VLAN just for IoT devices that should have access and another that does not allow internet access.