Keeping IoT devices on a separate network is a good security practice, as it limits their access to your main LAN and reduces the risk of lateral movement if one of them is compromised. Below is a simple example of how to achieve this using OpenWRT and VLANs.
I am using OpenWRT, so the setup is fairly simple.
First, I created an untagged VLAN with ID 100 on switch port 0 (your OpenWRT device may vary):
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 2'
option vid '100'
option description 'IoT'
Next, I created a bridge and an interface for that VLAN (eth1.100):
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth1.100'
option bridge_empty '1'
option ipv6 '0'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option gateway '192.168.3.1'
option broadcast '192.168.100.255'
Then, I created a firewall zone configuration for the IoT interface:
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
After that, I added a DHCP configuration for the IoT interface so IoT devices can automatically obtain an IP address:
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
Finally, I created a wireless network to be used by IoT devices:
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'IoT'
option encryption 'psk2'
option key 'MyStrongPasswordHere'
option network 'iot'
That's all. Now my IoT devices are isolated on their own VLAN. They cannot access my regular network devices, and vice versa.