[labcomputer]

Each of the VLAN is (or can be) just another network from the router’s and firewall’s perspective. So you just have to set up appropriate firewall rules to allow traffic between the networks that you want to communicate.

You could, for example, allow only TCP traffic initiated by hosts in the “normal” VLAN to hosts the IoT VLAN. So IoT stuff can’t initiate outgoing connections to any other network, and can only receive TCP connections from one network.

You can also set up an MDNS reflector on your router if your IoT devices use that (e.g. HomeKit) to send data proactively back to “normal network” hosts.