I'm about to go from "ordinary home network" to "advanced home network" - even though my knowledge level isn't really adequate! I'm going to buy a couple of EAP245 access points (one for each end of my house) and use them in conjunction with my TL-R470T+ router to create multiple SSIDs/VLANs for different devices/purposes.

My main network should consist of my audio/video components (all of which have wired connections or don't need a connection at all), all the PCs in my office/lab (all wired), a handful of smart/mobile devices, and a few laptops/Chromebooks that don't see much use. I like the idea of whitelisting MAC addresses for this network and disallowing everything else. If we get a new device, I'll add it to the whitelist, but I don't want anything getting in unless I let it in.

My guest network should give guests access to the internet - and nothing else. I'd like to get notifications whenever new devices connect so I know if a neighbor or someone parked on the street has managed to hack their way in.

My IoT devices should all be on their own VLAN (2.4GHz SSID), with no access to my main network. And here's where things start to get confusing for me... All of my IoT devices need to be able to talk to my hub (Home Assistant on a RasPi) - but in order to control all those devices, some of the (smart/mobile) devices on my main network also have to be able to connect to my Home Assistant box. What's the right way to enable that such that I can connect to my HA server from my iPad to turn lights on and off - and yet a malicious intruder who gains access to my IoT VLAN can't get at my iPad?

Similarly, the vast majority of my IoT devices have firmware that allows all control to take place locally so that these devices don't need to connect to the big, scary Internet (AND I can still have my smarthome functionality even if my internet connection is down) - so I'm inclined to isolate my IoT VLAN from the internet entirely. But there are probably devices that I haven't thought about which still require internet connectivity (maybe on Home Assistant's end) in order to work. And then there's Alexa...... So I'm thinking about having TWO IoT VLANs - one for devices that don't ever need an internet connection and one for devices that do. Of course, devices on both of these VLANs will still need to talk to Home Assistant. I have NO CLUE how to pull all that off. Not really sure how to even start.

A final consideration is that it's nice to be able to access IoT devices remotely. I think that's just a matter of setting up a VPN connection or a reverse proxy to Home Assistant. Clearly, my Home Assistant server is going to be my biggest vulnerability. How do I lock it down and keep all the functionality I want, while also preventing security breaches?

What's the right way to set all this up?

Sorry that was so lengthy, but it's a complicated setup. If you've read this far, THANK YOU! I'd really appreciate your input and guidance.