Guest WiFi, 'IoT' devices and VLANs

[nightcustard]

Hi - I've been using a 7800N for some years but want to improve general network security by isolating guest and IoT ('Internet of Things') devices from my NAS and home PCs. It looks like I'm going to have to ditch my 7800N in favour of either a 7800DXL or 8900AXL-2400 (faster wifi is the primary attraction of the latter). I have a NAS, various desktops, printer and media client Rasp Pis (all wired on one physical network). I also have a separate wired network of ethernet-connected TVs, PS3 and DVD player (wired 'IoT' network). On wifi, I have various tablets, phones etc. and we also have visitors, of course.
I would like to be able to implement the following:
1) Permit any device on the main (NAS-containing) wired network to have access to the internet and to be able talk to each other and any device on the main home wifi network (so I can stream films to a tablet, for example).
2) Permit any device on the wired 'IoT' network to talk to the internet but not to any device on the main network or on any of the wifi networks.
3) Permit guests and wireless 'IoT' devices to access the internet via a guest wifi SSID but not to have any access to a device on the main wifi network or either of the wired networks.
I think most of the above is possible via VLANs (at least the wired parts) but I'm a little confused by the concept of 'virtual' SSIDs (ie) I know you can have multiple SSIDs with client isolation and different log on credentials but is it possible to have (for example) one of the 2.4GHz SSIDs isolated (for guests and IoT) whilst being able to stream films to a home based tablet from the NAS?
I've had a quick trawl through the forum and can't seem to find anything definitive (please bear in mind that I can follow instructions but don't necessarily understand the technical detail!)
Could someone please advise whether the above is feasible using an 8900AXL and/or the 7800DXL? Many thanks.

[billion_fan]

Hi - I've been using a 7800N for some years but want to improve general network security by isolating guest and IoT ('Internet of Things') devices from my NAS and home PCs. It looks like I'm going to have to ditch my 7800N in favour of either a 7800DXL or 8900AXL-2400 (faster wifi is the primary attraction of the latter). I have a NAS, various desktops, printer and media client Rasp Pis (all wired on one physical network). I also have a separate wired network of ethernet-connected TVs, PS3 and DVD player (wired 'IoT' network). On wifi, I have various tablets, phones etc. and we also have visitors, of course.
I would like to be able to implement the following:
1) Permit any device on the main (NAS-containing) wired network to have access to the internet and to be able talk to each other and any device on the main home wifi network (so I can stream films to a tablet, for example).
2) Permit any device on the wired 'IoT' network to talk to the internet but not to any device on the main network or on any of the wifi networks.
3) Permit guests and wireless 'IoT' devices to access the internet via a guest wifi SSID but not to have any access to a device on the main wifi network or either of the wired networks.
I think most of the above is possible via VLANs (at least the wired parts) but I'm a little confused by the concept of 'virtual' SSIDs (ie) I know you can have multiple SSIDs with client isolation and different log on credentials but is it possible to have (for example) one of the 2.4GHz SSIDs isolated (for guests and IoT) whilst being able to stream films to a home based tablet from the NAS?
I've had a quick trawl through the forum and can't seem to find anything definitive (please bear in mind that I can follow instructions but don't necessarily understand the technical detail!)
Could someone please advise whether the above is feasible using an 8900AXL and/or the 7800DXL? Many thanks.

You should be able to do everything you need using the Group Isolation function, including isolating ports from each other and also isolate guest wifi networks from each other.

All devices that want to talk to each other must be on the same port, or guest wifi network. (once isolated)

Example for a guest wifi network (it is the same for the LAN port isolation, just need to create a new rule)

1. Click on Interface Grouping
2. Click on 'Add'
3. Enter a 'Group Name' eg guest
4. Under 'Available LAN Interfaces' select your 'Guest Network' and click on the arrow pointing left, so the guest wifi network should now be added to 'Grouped LAN Interfaces'
5. Click on 'Apply'
6. Under 'Group Isolation' tick the box and click on 'Apply'
7. Click on 'LAN >> Ethernet'
8. Under 'Group Name' select your guest wifi group for this example I used 'guest'
9. Tick 'LAN Side Firewall' and click on 'Apply' (with this option enabled anyone connected to the guest wifi network, will not be able to access the routers web gui, they can only access the internet)

[nightcustard]

Many thanks!