How to design a home network for IoT devices?
First you need to break the devices into classes of connectivity:
- Need just a constant "cloud" connection to work properly
- Need no connection except for initial config/updates, need local connection
- Need both a cloud connection and a local connection to work
If you have a class of devices that are truly cloud-based (i.e. they don't use any local traffic, it all must go out to the internet and back) creating a SSID and VLAN that segregates traffic is a simple measure to make sure that any hostile activity it might be repurposed for is sheltered from high value targets like your backup server. Putting devices that need some sort of always-on connection in their own class keeps them sidelined if there is some sort of remote compromise of their command and control structure (the cloud.)
If you still need local access to some of those devices, say to give your phone just the ability to access port 80 on your TV or your light bulb (if that's how the smart remote works) a stateful firewall rule can enforce that only your phone, to only that port on the TV, will be allowed. If your TV needs no internet access and only protected local access, this would fall into another category which would need its own SSID, and if you really want it to be able to talk to the internet but no other devices, and be all by itself, it would need its very own SSID and VLAN, which many can be created if needed.
One measure that could also go a long way if your network is subject to transient devices (i.e. relatives tablets or laptops dropping by from time to time) is putting just those on a different VLAN, since for example your smart light bulb, unless you purposefully open a port from the internet at large, is of no harm even without a password since you (hopefully) trust all the other devices on your network to not be under malicious control.
Several inexpensive Wifi/Router devices that can be loaded with OpenWRT or DDWRT can be configured this way. The challenge isn't how to pull all this off, it's how to keep it all working smoothly and not throwing up your hands admitting that it's easier to just live under the spectre of network Armageddon in order to not have to unblock a port every time your phone TV app updates, and it says your TV firmware is now out of date. If you're like most people, you just harden what you can: automatic or alerted updates on all devices that support it, smart firewall rules with anything like uPNP disabled, and then carry on with your life.
I bought for that purpose an Ubiquiti EdgeRouterX and UniFi AP AC LITE.
The access point supports up to 4 SSID, each goes to another VLAN. I have set up a 'main' wireless network and 'guest' (that I also use for untrusted devices).
The router allows internet access for every VLAN, but does not allow traffic to cross between VLANs, with the exception that I can connect from the 'main' network to the 'guest', but not the other way around.
I think that this setup is pretty secure and also quite cheap for the performance. I even did not have to touch the CLI. The UniFi controller has to run on a PC only to set up the wireless access points, later they can work without it.
Depending on your level of paranoia, you can get an AP that has multiple SSIDs mapped to separate VLANs. Then with a firewall or access lists, you can control what each VLAN has access to. You can probably pick up used commercial devices for not too much money that do what you want.