This is why I have two separate SSID's, one goes to my 'trusted' VLAN of home devices that have access to the rest of the network - the other goes to an 'untrusted' VLAN that has access to NOTHING except to pfSense for routing (and any access to the pfSense admin page is blocked from that interface since it's only bound to the other VLAN).
MY stuff (desktops, cell phones, laptops, game consoles) goes on the first, everything else goes on the second (guest devices, appliances that are less than trustworthy and have no reason to touch the rest of my network, etc).
Does your setup (easily) allow for things like untrusted IoT powerpoints/lights on the untrusted network to be controlled by their regular apps running on a phone hooked to the trusted network?
I haven't quite worked out a simple-but-correct solution for that at my place yet.
I have come up with a concept of "any device who's software I'm not actively updating and managing for security shouldn't be on the same network as my backup NAS". That includes not just IoT crap, but my original (cant upgrade past iOS5) iPad, my printer, my 3D printer's Windows machine, most of my Raspberry Pis, and friends and family's phones/tablets/laptops...
I do have access from my trusted network to the untrusted one, but not the other way around (ACL's on my switch prevent the untrusted VLAN from accessing anything but my pfSense router for internet access). Regardless of this, however, they are separate broadcast domains, so if I can't just punch in an IP address to access it I won't be able to use it (and this excludes a lot of proprietary "Smart" devices that rely on mDNS+DNS-SD or TCP/UDP broadcast for discovery without any option for direct IP connection).
If I ever bought into the "Connected" / "Smart" home (and I probably will, it would be really nice to open my garage from my phone and have lights automatically turn on, monitor the thermostat remotely, etc) I will probably invest in standards-compliant devices that use Zigbee or Z-Wave and setup OpenHAB - all of these proprietary "Smart" devices just seem dumb when you have to rely on external services like IFTTT to integrate them, really defeats the whole purpose and I don't like being locked into specific brands / ecosystems when semi-open standards exist.
> Does your setup (easily) allow for things like untrusted IoT powerpoints/lights on the untrusted network to be controlled by their regular apps running on a phone hooked to the trusted network?
Sure, if the control uses direct IP connections it's just a matter of adding some routes - if using broadcast UDP, not so much.
Similar. My open ‘guest’ SSID is layer-2 switched to the upstream modem only. (I suppose it's possible that the modem could be compromised and send frames back to the LAN, but I see no evidence of that.)
MY stuff (desktops, cell phones, laptops, game consoles) goes on the first, everything else goes on the second (guest devices, appliances that are less than trustworthy and have no reason to touch the rest of my network, etc).