@David-TP 

Thanks for your prompt response 

Well the original idea of the engineers are outdated today. Now almost all IoT devices are controlled via the manufacturer's infrastructure so the need for optional isolation features are very high. If anyone browses information security news regularly can see that IoT is a potential backdoor, zombie host, network surveillance candidate. 

To mitigate this TP-LINK has to give granular control over detailed  and various security settings to router owners. 

Failing this would eventually fall back on the company, but pioneering this would improve reputation and usability.

So answering your question: yes we need to be able to switch the IoT network isolated optionally,  or, even better, to switch per device isolation individually in main, Guest, or IoT network.

  @David-TP You are correct when stating that most IoT devices have their own app, but the devices in 99% of the cases are communicating with the servers of the manufacturers in the cloud. It has nothing to do with the local network. As long as the device can reach the internet, there will be no problem in isolating the IoT from Guest/Main Network. PLEASE PLEASE PLEASE implement this!

David-TP wrote

The engineers initially thought that most smart devices are controlled by the individual App installed on the mobile phone. While the mobile phone is often on the main network. To maintain a proper connection between the mobile phone and smart home devices during configuration and further management, there should be no separation between these two networks.

@David-TP my experience is that there are two use cases here:

1. The scenario you've described, where uses are regularly using their phone to control smart devices
2. A full home automation setup (using Home Assistant / Hubitat / etc.), where smart devices are automated and/or controlled by a separate dashboard exposed on the open internet

In case (1), I agree that mobile phones would need to be able to communicate with the IoT network. This is probably insecure, but convenient. In case (2), they don't need to communicate on a regular basis, and the preference would be for network security.

I fall under under case (2) -- I have a number of IoT devices connected to Hubitat, and I use ActionTiles to control them from my phone. If I need to connect directly to configure an IoT device, I manually connect my phone or PC to my IoT network, make the changes, and then switch back. Today, I use a TP-Link Omada switch and a second router to provide isolation for my IoT network, but it would be wonderful to ditch the second router and gain the mesh network benefits of my Deco for my IoT network.

Since there are two distinct use cases, perhaps it would be possible to make this configurable? Make the default behavior of the IoT network the same as it is today, but allow users to toggle an option for IoT network isolation?

Oh, now I'm seeing the point of those who posted above me -- I think they're right that in many cases, apps controlling IoT devices are using the manufacturer's infrastructure to communicate, and thus communicate over the open internet. I can still see the value of use case (1) in some instances, such as connecting to an Echo device. It still makes sense to me to make IoT network isolation configurable so that it can be enabled or disabled.

  @David-TP

David, 

That is not uniformly available on all Deco systems 

For example my X50 has  no such option.

See my screenshots attached.

Regards

Viktor 

  @David-TP 

Yes the main is an X50 and the satellites are X20 (hw v1.2)