Forget the hardware listed.  I have Some Deco X20's and an X50 but this feature request is for all Decos.

Background:

1. Many users like myself have a NAS/Server/Anything that they don't want to introduce security risks to.  However apps on these often need to initiate access to the clients.

2. We wish to allow guest access to our WiFi but not our private stuff as most people have a shockingly lax attitude to security.

3. We wish to make our homes smarter using IoT devices but are aware that the quality of their code is generally utterly, utterly shoddy and updates are often abandoned.

An example consumer use case:  Home security IoT cameras with controls to move the cameras.  DVR software on the NAS.  Many NASes have DVR apps.  The NAS needs to be kept away from guest/IoT but needs to access IoT directly to control cameras from NAS app (e.g. on mobile phone)

Additionally:

Many ISP's supply a preconfigured router that you cannot modify anything on.  With Deco in router mode, uPnP does not work, preventing services such as online gaming from working reliably.

To achieve these, we can either use one VLAN per SSID and use our own firewall hardware/software OR We could use Deco in router mode but with No NATting and rules on the Decos for firewalling.

To be clear, I have seen suggestions that DHCP, NAT and security such as parental controls are linked and that you can't have one without the other.  This is simply not true.  However, if the code these devices run is such a mess that these features are linked, that is OK.  Let us disable everything but routing to several subnets, each with their own SSID and a stateful firewall with either DHCP served by the Deco or via DHCP relay.