@AngelK 

Use Policy Routing.  You don't need the 'reverse' that's only when you want isolation.

  @d0ugmac1 :
There is a lot of guidance on the net on how to set up policy routing in Omada, but it always refers to dual-wan configurations.
I have only one wan and unfortunately I can't find any instructions for such a scenario.
Do you have a tip on how to set this up exactly?

  @AngelK 

To do what you want, you need a Router+Switch which are managed (but you have that).  So see below, left side would be the IOT subnet and right Side would be your client network(s).  This is a SWITCH ACL...the router ACL's don't seem to work.

  @d0ugmac1 

Thank you very much.
However, there is one problem.
Once I create the switch ACL rule I no longer have access from clients to IoT.
Even if a corresponding rule is created that allows access from clients to IoT and prioritizes them before the deny rule (IoT deny clients), it doesn't work because the IoT responses are blocked by the rule.

Another question is also bothering me now: how to edit or delete IP groups created under switch-acl rules?

  @AngelK 

I misunderstood your ask.  What you really need is to make the IOT network a 'guest' network....ie they can get to the internet but not see each other, or any other local subnets.  Then from the internet side, you could do some port mapping so you can 'see' into the IOT network, but it cannot reach back on it's own.  In effect you'd leverage a NAT function to isolate the two.  The state of NAT in TPlink is different based on standalone/controller and also individual devices/firmware.  Ideally you'd have 1:1 LAN NAT, so IOT device at say .40 maps to local LAN .40 (or .140, or .240 etc), but a 1 to many NAT can work as well, ie WAN.ip.port8001 maps to IOT device #1.port80, etc.

I hope somebody has a slicker option for you!

  @AngelK 

I found a treasure post today, check this：

Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL

  @Virgo 
Thank you for the very informative link.
Looks almost like the same scenario as what I have in mind.

  @AngelK 

It's my pleasure. 

Is it correct to assume that VLAN based networks are best controlled entirely by Omada switches?
I have a camera connected to an unmanaged switch (SG1005P) via POE, which is connected to the lan of a mesh connected EAP225 outdoor. I can't set a VLAN tag on the camera, so once it gets an IP address manually set from the camera network, it is no longer reachable on the network, as the connection still goes through the administrative network.
However, if I connect a device there that I can give the VLAN tag of the Camera network, everything works as desired.

  @AngelK 

It might take a little redesign, but you could leverage the fact that the mesh link effectively bridges the connection between the two APs ethernet ports.  

Consider if you changed the PVID of the switchport (via Port Profile) feeding the wired AP to be the camera network's VLAN and then tagged the Management VLAN on that port.  Anything then attached to the unmanaged switch would appear as though connected to the 'camera' network.  You DO need to then migrate that AP to the management network to ensure that it can still reach a controller if you have one, or remain isolated from the camera network at L3.

EDIT - I just mocked this up with an EAP235-wall..make sure you start at the far 'end' and work back to your controller :)

Here's where I 'set' the Management VLAN  of the AP to now be tagged:

WARNING...make sure you enable Management VLAN at the REMOTE end FIRST! (I'm not a big fan of painting myself into a corner!)

The APs will likely get re-adopted and come back up within a few minutes

and here's the switch port #1 that feeds the wired AP

and the AltVLAN profile, in your case my 'Wireless' network would be your 'Camera' network

This will make the ports of the SG1005P (hanging off the remote AP) look like they are all on the 'Camera' vlan/subnet, but the AP's should continue to operate on the management VLAN/subnet.  You can now configure ACLs to block traffic between those subnets, which until the very latest v1.2.3 firmware for the ER605 and ER7206, had to be implemented as Switch ACLs.