Add the following to your Pi4 router...
in /etc/config/network
config interface 'iot'
option device 'eth0.4'
option proto 'static'
option ipaddr '10.0.4.1'
option netmask '255.255.255.0'
in /etc/config/dhcp
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
in /etc/config/firewall
config zone
option name 'iot'
list network 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option name 'Allow-iot-DHCP'
option src 'iot'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-iot-DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot'
The above will allow the iot network to reach the internet, and it will also allow the lan network to connect to the iot, but not vice versa. If you have different goals for your iot network, let's work those out in a separate thread.