VLANs are great. Unfortunately, I've got an unmanaged 12-port PoE+ switch that doesn't support them. My workaround is to put two subnets on the same physical LAN, and my DHCP server (pihole) has an IP address on each subnet.
My (openWRT) router also has IPs on both subnets, and routes both LANs to the WAN. Restricting/throttling WAN bandwidth is easily managed in OpenWRT. Preventing WAN access is easily done by not providing a gateway in the DHCP assignment (pihole).
Obviously the big difference between this and a VLAN is that an ill-behaved device could still access the other subnet, and could still discover the gateway and route to the WAN. So far, none of the IoT crap on my restricted subnet has misbehaved.
Just my opinion but don't you want to patch that hole with a better switch? Or put it downstream of a switch that does enforce vlans? Most likely your iot devices don't really need anything more than 10-100 megabit connections anyway?
The switch I'm using is behind a panel in my garage, which is not climate controlled. Temperatures range from freezing to over 100F throughout the year. It's a fanless POE+ switch and it's doing a great job otherwise. I've replaced the switch with a different model a few times over the past five years, but this one has held up well for over three years. I'm open to suggestions for a reliable (managed or unmanaged) fanless POE+ switch that can handle this environment. Ideally, I'd like one than can do 10Gbps. The present switch is 1Gbps. Money is a secondary consideration.
I claim no expertise here, sorry. Best I can do is defer to Serve The Home; they have reviews of switches that include whether it's managed, actively cooled, throughput, etc.
Thanks for the tip. Serve The Home is a good site that I came cross for the first time just a few weeks ago. For the past five years or so I've been unhappy with the poor availability of 10Gbe in SOHO products. It appears to finally be happening, but has not yet trickled into the mainstream.
My (openWRT) router also has IPs on both subnets, and routes both LANs to the WAN. Restricting/throttling WAN bandwidth is easily managed in OpenWRT. Preventing WAN access is easily done by not providing a gateway in the DHCP assignment (pihole).
Obviously the big difference between this and a VLAN is that an ill-behaved device could still access the other subnet, and could still discover the gateway and route to the WAN. So far, none of the IoT crap on my restricted subnet has misbehaved.