I guess it depends on what kind of friends you have, but assuming iot devices are insecure rubbish, I wouldn't want them on the same network as guests. But then again you might want to turn on client isolation for the guest network, so that wouldn't really be an issue.

Yeah, I have guests all isolated from the LAN already.

Client isolation means the clients on the network can't reach each other. This would prevent them from attacking each other or your insecure iot devices. Otherwise your friends will backdoor your security camera. ;-)

Yes, that's what I meant, I guess I don't know the terms: no one on the guest SSID can talk to anyone else on either network, only the internet.

I want my guests to be able to cast to my TV, add songs to the Spotify queue, etc. As far as I can tell, these sorts of features work via broadcast frames and thus require the relevant devices to be on the same subnet.

Things like my printer and wifi-connected grill live on a much more restrictive VLAN. (with some firewall rules to allow devices on the trusted network to still print to my printer's hard-coded IP address)

You can do it some routers (e.g. opnsense) that let you retransmit that (e.g. with UDP broadcast relay). The main downside is that you have to set it up for each type, and open ports, troubleshoot a lot, waste many hours, etc.

I used to do this but it became too much of a hassle.

I have a separate VLAN for things like security cameras with perhaps-dodgy firmware, and a firewall rule that drops connections that devices on that VLAN try to establish. They have no business connecting anywhere, when I want to see what they see I'll ask them.

I split it off and give it zero access to the Internet, it's strictly internal. Everything can talk to the IoT VLAN, but not the other way around.

There's a simple reason (among many) that I segment IoT from Guest: I guess my Guest SSID password regularly but don't wish to do the same for my IoT segments (plural, because one has WAN access and the other doesn't.) For anyone wondering, the frequent changes to guest wifi password are offset by the fact that I make the password easily available to guests in the form of an NFC tap.

> Is there a reason you split IoT stuff off of the guest network?

I'd do it so that I could more easily prevent the IoT stuff from phoning home.

That makes sense. In my case, I don't have a lot of IoT, but what I do have is entirely cloud based—if there's no phoning home then there's no point to having the device.