Hi guys,
I am new to Mikrotik world and I want to achieve as follows:
I want to have a split on the wifi for different IoT's that I got, I also own two smart home devices, Alexa and Google Assistant.
Until now I got a basic router and only one network, everything was simple and unsecure .
I would like to group different IoT's by "manufacturer", each "manufacturer" as one VLAN, about 6 VLANS, and on the 7th VLAN to have the Alexa and Google Assistant. Each IoT VLAN should be able to communicate to Alexa and Google Assistant, but will not be able to communicate to any other VLAN (IoT or home VLAN).
All this VLAN's for IoT's and Assistant's should be on one and only one SSID. Each VLAN i suppose that should have his own DHCP server and Pool.
Can I do this? If so, could someone point me to a tutorial or write down some advise on the best practices for this?
Note: I have tried to use a guest network, but on a guest network the client isolation will cut the Assistant communication to the IoT's. Remeber, Wifi all of them, and only on SSID for all of this. The assignment of the IP's I see to be like this:
a new client is connected - is assigned automatically to an Guest Network (8th VLAN on the same SSID and physical interface in my example), then manually I move-it to the DHCP Server and assign him a static IP on the DHCP leases.
The only problem that i might see is when a client will have automatically a dynamic MAC address that cannot be set to be the device's default MAC address.
What I want to fulfil with this:
1. IoT isolation by same kind of IoT's, Brake the IoT to IoT communication and a mix of possible junk's on the same environment. You may see this similar to "Cameras should not be on the same network/VLAN as any other IoT" / "Garage door should not be on the same network as my Printer" due to possible security issues
2. Assistant communications to each IoT no matter what kind of
3. Main Home network to be isolated of the IoT's but to be able to access the Assistant only. On the same network as the Assistant i see as well the printer or other shared devices to users - some policy restrictions may be applied here using the firewall rules.

BR

I agree that it mightn't be necessary in this case, but if you want multiple VLANs on one SSID without using RADIUS, grab a Grandstream access point - they're cheap and support PPSK. Put it on a trunk port on your Mikrotik.
I'm designing a large network for some resorts and I'll have one SSID for everyone, but different passwords to put everyone on their own VLAN.
I did something similar for a multi-tenant office using Mikrotik APs and I had to use RADIUS and there's a number of devices (mostly printers, but also lots of IOT devices) that only support PSK.

This may also be possible using access-list though I have not been able to use them to set a different datapath in CAPSMAN yet.