Hi folks, I've had a new air conditioning controller installed, an Airtouch 4. Turns out it's just a little tablet running Android 6.0 - truly an example of the old phrase, "the S in IOT stands for Security" :D It connects to wifi and offers remote control (both on the local network and over the internet). So I'm thinking what I want to do is isolate it on its own vlan that has no outgoing access to the rest of my network, but still has external internet access and inbound access from the LAN so the phone apps still work to control it. I've got a Mikrotik 951G-2HnD running RouterOS 6.49.2, with LAN (NBN HFC) hanging off port 1, a single Unifi wireless AP hanging off port 2 (the 951G's wireless is turned off), and other stuff off ports 3, 4, & 5 (other switches, a NAS, etc). It's all on a single network; the 951G runs DHCP for 10.1.1.0/24 on the bridge interface, there's a basic firewall configured, and IPv6 is enabled and running. So I assume what I need to do is some kind of vlan config to separate traffic, and some routing and firewall config, but I really am not sure how to achieve it. Maybe something like: - Create 2 new vlans, one for the unrestricted devices and one that I'll use for isolated devices - Add both vlans to all ports? The Unifi AP can do vlan tagging by the looks, so I could create a seperate wireless network for the restricted vlan as well. (Or maybe the easier way would be to turn the 951G's wireless back on purely for this restricted access, take the Unifi AP out of the picture) - Create a new DHCP range for the restricted vlan (can I decide which dhcp range will respond based on the vlan tag?) - Create a new firewall config to prevent the restricted vlan from communicating to the unrestricted vlan? - Routing config of some kind? I'm not much of a networker, so any help would be much appreciated. - Ben